On Mon, Aug 01, 2022 at 02:58:08PM -0600, Cullen Jennings wrote: > > > > On Jul 30, 2022, at 1:40 PM, Peter Saint-Andre <stpe...@stpeter.im> wrote: > > > > Hi again, > > > > The authors have conferred on this and at this time we don't think that we > > can recommend anything other than EC ciphers, for several reasons: > > > > 1. DHE negotiation is broken. > > Perhaps a bit more explanation in the draft about the issues with DHE-RSA (in > context of 7919) would help. I was under the perhaps mistaken perception that > the RFC 7919 was not subject to the Raccoon attack and that there were > mitigation for the Racoon timing attacks. Given the reliance on a single > class of algorithms, I think it would be worth highlighting the risks and > provide good info on why alternatives don’t work.
This was discussed in the TLS session at 114, as it happens; https://zulip.ietf.org/#narrow/stream/140-tls/topic/jabber/near/21527 has some links to previous mailing list discussions of the deployment issues that make RFC 7919 unusable in practice. > > > > > 2. Static RSA is out of the question. > > I agree but would prefer that was phrased as things don’t provide PFS are out > of the question, not that RSA is not usable. I see lots of confusion of those > two. I will note that, if EC was broken by quantum or optical computers but > RSA was not, I’m pretty sure I would be switching to something with no PFS vs > something that was broken. Yup. -Ben _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
