Hi Eric and Everyone, draft coauthor here. Appendix C lists "DHE Cipher Suites Refered to by This Document", not ones which are deprecated. The intention of the current text is to permit fully ephemeral DHE over a finite field (FFDHE) with sufficient group size.
However, we also have an unresolved consensus call regarding whether/to what extent to permit FFDHE when this document (hopefully) becomes an official RFC: https://mailarchive.ietf.org/arch/msg/tls/iZGV0kKHfbV5MrO-owB8mFwfffw/ so at any rate, the current text around FFDHE is mostly a placeholder. I do hope to present at the upcoming WG meeting and resolve this issue, which should be the last one (famous last words, I know). Happy to answer further questions, or generally get a discussion going on here before the meeting. best, Nimrod On Thu, 2 Mar 2023 at 23:19, Eric Rescorla <e...@rtfm.com> wrote: > Hi folks, > > I was just reading draft-ietf-tls-deprecate-obsolete-kex-01.txt > and the combination of Section 3 and Appendix C is confusing > to me. > > Specifically, the text says: > > Clients and servers MAY offer fully ephemeral FFDHE cipher suites in > TLS 1.2 connections under the following conditions: > > 1. Clients and servers MUST NOT reuse ephemeral DHE public keys > across TLS connections for all existing (and future) TLS > versions. Doing so invalidates forward secrecy properties of > these connections. For DHE, such reuse may also lead to > vulnerabilities such as those used in the [Raccoon] attack. See > Section 6 for related discussion. > > 2. The group size is at least 2048 bits. > > ... > > All the cipher suites that do not meet the above requirements are > listed in the table in Appendix C. > > > And then Appendix C lists, for instance: > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > > Which as I understand it, can be used with the above requirements > as long as you use a suitable group, so this makes me think maybe > I don't understand the text. What cipher suites is this intended > to permit in TLS 1.2? > > -Ekr > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
