On Fri, Mar 3, 2023 at 9:21 AM Nimrod Aviram <nimrod.avi...@gmail.com> wrote:
> Hi Eric and Everyone, draft coauthor here. > > Appendix C lists "DHE Cipher Suites Refered to by This Document", not ones > which are deprecated. > The intention of the current text is to permit fully ephemeral DHE over a > finite field (FFDHE) with sufficient group size. > That's what I got from the title of Appendix CA, but then what does this text mean: "All the cipher suites that do not meet the above requirements are listed in the table in Appendix C." Because, as you say, some of the suites in C meet this requirement. > > However, we also have an unresolved consensus call regarding whether/to > what extent to permit FFDHE when this document (hopefully) becomes an > official RFC: > https://mailarchive.ietf.org/arch/msg/tls/iZGV0kKHfbV5MrO-owB8mFwfffw/ > so at any rate, the current text around FFDHE is mostly a placeholder. > I do hope to present at the upcoming WG meeting and resolve this issue, > which should be the last one (famous last words, I know). > > Happy to answer further questions, or generally get a discussion going on > here before the meeting. > OK, so we don't need to spend too much time on this, but I'd still like to understand the intent :) -Ekr > > best, > Nimrod > > > > > On Thu, 2 Mar 2023 at 23:19, Eric Rescorla <e...@rtfm.com> wrote: > >> Hi folks, >> >> I was just reading draft-ietf-tls-deprecate-obsolete-kex-01.txt >> and the combination of Section 3 and Appendix C is confusing >> to me. >> >> Specifically, the text says: >> >> Clients and servers MAY offer fully ephemeral FFDHE cipher suites in >> TLS 1.2 connections under the following conditions: >> >> 1. Clients and servers MUST NOT reuse ephemeral DHE public keys >> across TLS connections for all existing (and future) TLS >> versions. Doing so invalidates forward secrecy properties of >> these connections. For DHE, such reuse may also lead to >> vulnerabilities such as those used in the [Raccoon] attack. See >> Section 6 for related discussion. >> >> 2. The group size is at least 2048 bits. >> >> ... >> >> All the cipher suites that do not meet the above requirements are >> listed in the table in Appendix C. >> >> >> And then Appendix C lists, for instance: >> >> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 >> >> Which as I understand it, can be used with the above requirements >> as long as you use a suitable group, so this makes me think maybe >> I don't understand the text. What cipher suites is this intended >> to permit in TLS 1.2? >> >> -Ekr >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
