> At the moment the blanket "don't do DH" is in effect saying "use RSA keyex" to a chunk of the market. Does the document in question say in effect "use RSA keyex"? Or could it be read that way? The first sentence is "This document deprecates the use of RSA key exchange and Diffie Hellman". That seems pretty clear.
There are a few valid arguments, from yourself and others here, to soften the prescription regarding FFDHE from MUST NOT to SHOULD NOT, or similar. That's a reasonable position to take, but at this stage I guess the discussion is mostly around the presentation and structure of the document. best, Nimrod On Fri, 14 Jul 2023 at 10:02, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Viktor Dukhovni <ietf-d...@dukhovni.org> writes: > > >What benefit do we expect from forcing weaker security (RSA key exchange > or > >cleartext in the case of SMTP) on the residual servers that don't do > either > >TLS 1.3 or ECDHE? > > This already happens a lot in wholesale banking, the admins have dutifully > disabled DH because someone said so and so all keyex falls back to RSA > circa > 1995, and worst possible situation to be in. > > There needs to be clear text in there to say that if you can't do ECC then > do > DH but never RSA, or even just "keep using DH because it's still vastly > better > than the alternative of RSA". At the moment the blanket "don't do DH" is > in > effect saying "use RSA keyex" to a chunk of the market. > > Peter. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
