Re: [Last-Call] [Uta] [art] Artart last call review of draft-ietf-uta-rfc7525bis-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/3/22 12:07 AM, Peter Gutmann wrote:
Peter Saint-Andre <stpeter@xxxxxxxxxx> writes:

Hi Cullen, having looked more closely at the text that's already in 7525bis,
I have a few questions inline...

Me too, specifically in regard to the "DHE negotiation is broken" comment.
The draft says:

       However, TLS 1.2 implementations SHOULD
       NOT negotiate cipher suites based on ephemeral finite-field
       Diffie-Hellman key agreement (i.e., "TLS_DHE_*" suites).  This is
       justified by the known fragility of the construction (see
       [RACCOON])

Raccoon relies on reuse of ephemeral values.  If a DH*Ephemeral*
implementation reuses the ephemeral values it's not TLS_DHE_whatever any more,
it's TLS_DH_whatever. So this isn't a valid criticism of DHE, since it's not
DHE.

It's really not that hard to do DHE properly.  The solution isn't to throw out
all use of DHE [0] but to specify what to do to avoid doing DHE badly.

Given that we already discuss these matters in Section 7.4, I don't see the need for additional text.

Peter

--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux