On Tue, May 27, 2025 at 3:27 PM Paul Wouters <paul.wouters=
40aiven...@dmarc.ietf.org> wrote:
> Can we note that Finite-field DH is however, being deprecated in
> draft-ietf-tls-deprecate-obsolete-kex. Or perhaps just not even mention
> finite-field groups anymore?
The terminology is a bit confusing here, because sometimes people use
"FFDH" to mean static and ephemeral and sometimes they say "FFDH" for
static and "FFDHE" for ephemeral. In any case,
draft-ietf-tls-deprecate-obsolete-kex does not deprecate FFDHE for
TLS 1.3:
3. Ephemeral Finite Field Diffie Hellman
Clients MUST NOT offer and servers MUST NOT select FFDHE cipher
suites in TLS 1.2 connections. This includes all cipher suites
listed in the table in Appendix C. (Note that TLS 1.0 and 1.1 are
deprecated by [RFC8996].) FFDHE cipher suites in TLS 1.3 do not
suffer from the problems presented in Section 1; see
[I-D.ietf-tls-rfc8446bis]. Therefore, clients and servers MAY offer
FFDHE cipher suites in TLS 1.3 connections.
This draft is registering FFDHE groups:
ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
ffdhe6144(0x0103), ffdhe8192(0x0104),
I haven't really formed an opinion one way or the other about whether
we should specify ML-KEM/FFDHE cipher suites, but I don't think that
this draft is inconsistent with other WG decisions.
-Ekr
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
