Re: [Uta] WGLC for draft-ietf-uta-rfc7525bis-04

Thu, 16 Dec 2021 10:27:52 -0800 

Hi Everyone,

Coauthor of draft-bartle-tls-deprecate-ffdhe
<https://datatracker.ietf.org/doc/html/draft-bartle-tls-deprecate-ffdhe>
here (the document is undergoing reorganization, and the work-in-progress
state can be found here
<https://github.com/nimia/draft-deprecate-obsolete-kex/blob/main/draft-aviram-tls-deprecate-obsolete-kex.md>
).

draft-ietf-uta references the deprecate-ffdhe draft as a future TODO item
in Section 6.4.
There are a few notable differences between the recommendations in the two
drafts:

- The draft-ietf-uta lists RSA key exchange as a SHOULD NOT. We've had
similar discussions in the TLS WG, and I argue that RSA should be a MUST
NOT. We've had support
<https://notes.ietf.org/notes-ietf-111-tls#Deprecating-Obsolete-Key-Exchange-Mechanisms-in-TLS>
for this on the TLS WG.

- The wording in Section 4.1 of draft-ietf-uta implies that using finite
field DHE cipher suites is generally good practice. Most web client
implementations have dropped support for finite field DHE. Further, the
Introduction of WIP draft-tls-deprecate-obsolete-kex
<https://github.com/nimia/draft-deprecate-obsolete-kex/blob/main/draft-aviram-tls-deprecate-obsolete-kex.md#introduction>
lists problems affecting finite field DHE, especially when exponents are
reused. These problems are arguably severe enough to make exponent reuse a
MUST NOT. Section 6.4 has both static finite field DH and exponent reuse as
a SHOULD NOT.

- On a side note, the list of recommended cipher suites in Section 4.2 is a
subset of the recommended cipher suites in the "Intermediate" configuration
in Mozilla's Server Side TLS Guide
<https://wiki.mozilla.org/Security/Server_Side_TLS>. Could one of the
authors please explain the rationale for this difference?

Obviously, my recommendations are reflected in the WIP
draft-tls-deprecate-obsolete-kex:
(please excuse the brevity)
- MUST NOT use (non-ephemeral) DH cipher suites.
- SHOULD NOT use non-ephemeral ECDH.
- Finite field DHE: MUST NOT reuse exponents, MUST use a well-known group.
- MUST NOT use RSA key exchange.

I look forward to your responses.

best, and happy holidays,
Nimrod

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

Reply via email to