Ah, I understand your question now :-) Sure, the document seems inconsistent/unclear about this at the moment. Once we settle on a decision regarding FFDHE I'll fix this.
best, Nimrod On Fri, 3 Mar 2023 at 19:35, Eric Rescorla <e...@rtfm.com> wrote: > > > On Fri, Mar 3, 2023 at 9:21 AM Nimrod Aviram <nimrod.avi...@gmail.com> > wrote: > >> Hi Eric and Everyone, draft coauthor here. >> >> Appendix C lists "DHE Cipher Suites Refered to by This Document", not >> ones which are deprecated. >> > The intention of the current text is to permit fully ephemeral DHE over a >> finite field (FFDHE) with sufficient group size. >> > > That's what I got from the title of Appendix CA, but then what does this > text > mean: > > "All the cipher suites that do not meet the above requirements are > listed in the table in Appendix C." > > Because, as you say, some of the suites in C meet this requirement. > > > >> >> However, we also have an unresolved consensus call regarding whether/to >> what extent to permit FFDHE when this document (hopefully) becomes an >> official RFC: >> https://mailarchive.ietf.org/arch/msg/tls/iZGV0kKHfbV5MrO-owB8mFwfffw/ >> so at any rate, the current text around FFDHE is mostly a placeholder. >> I do hope to present at the upcoming WG meeting and resolve this issue, >> which should be the last one (famous last words, I know). >> >> Happy to answer further questions, or generally get a discussion going on >> here before the meeting. >> > > OK, so we don't need to spend too much time on this, but I'd still like to > understand > the intent :) > > -Ekr > > >> >> best, >> Nimrod >> >> >> >> >> On Thu, 2 Mar 2023 at 23:19, Eric Rescorla <e...@rtfm.com> wrote: >> >>> Hi folks, >>> >>> I was just reading draft-ietf-tls-deprecate-obsolete-kex-01.txt >>> and the combination of Section 3 and Appendix C is confusing >>> to me. >>> >>> Specifically, the text says: >>> >>> Clients and servers MAY offer fully ephemeral FFDHE cipher suites in >>> TLS 1.2 connections under the following conditions: >>> >>> 1. Clients and servers MUST NOT reuse ephemeral DHE public keys >>> across TLS connections for all existing (and future) TLS >>> versions. Doing so invalidates forward secrecy properties of >>> these connections. For DHE, such reuse may also lead to >>> vulnerabilities such as those used in the [Raccoon] attack. See >>> Section 6 for related discussion. >>> >>> 2. The group size is at least 2048 bits. >>> >>> ... >>> >>> All the cipher suites that do not meet the above requirements are >>> listed in the table in Appendix C. >>> >>> >>> And then Appendix C lists, for instance: >>> >>> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 >>> >>> Which as I understand it, can be used with the above requirements >>> as long as you use a suitable group, so this makes me think maybe >>> I don't understand the text. What cipher suites is this intended >>> to permit in TLS 1.2? >>> >>> -Ekr >>> >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
