Hi folks,
I was just reading draft-ietf-tls-deprecate-obsolete-kex-01.txt
and the combination of Section 3 and Appendix C is confusing
to me.
Specifically, the text says:
Clients and servers MAY offer fully ephemeral FFDHE cipher suites in
TLS 1.2 connections under the following conditions:
1. Clients and servers MUST NOT reuse ephemeral DHE public keys
across TLS connections for all existing (and future) TLS
versions. Doing so invalidates forward secrecy properties of
these connections. For DHE, such reuse may also lead to
vulnerabilities such as those used in the [Raccoon] attack. See
Section 6 for related discussion.
2. The group size is at least 2048 bits.
...
All the cipher suites that do not meet the above requirements are
listed in the table in Appendix C.
And then Appendix C lists, for instance:
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Which as I understand it, can be used with the above requirements
as long as you use a suitable group, so this makes me think maybe
I don't understand the text. What cipher suites is this intended
to permit in TLS 1.2?
-Ekr
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
