On Fri, May 22, 2015 at 1:55 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > On 22/05/2015 07:18, Jeffrey Walton wrote: >> >> On Fri, May 22, 2015 at 12:51 AM, Jakob Bohm <jb-openssl at wisemo.com> >> wrote: >>> >>> On 22/05/2015 03:57, Jeffrey Walton wrote: >>>>> >>>>> As an additional change for 1.0.2c or later (no need to >>>>> delay the urgent fix), maybe adjust internal operations >>>>> to discourage use of hardcoded DH groups for TLS DH (but >>>>> NOT for generic DH-like operations such as openssl-based >>>>> implementations of SRP). >>>> >>>> That's going to be tough because standards groups like the TLS WG are >>>> actively promoting fully specified, named parameters and curves. >>>> >>>> See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral >>>> Parameters for TLS", >>>> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and >>>> the discussion of magic primes at "Re: [TLS] Another IRINA bug in >>>> TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html. >>>> (The thread is due to the recent attacks on DH). >>> >>> The latter thread contains posts from respected experts >>> asking not to use fixed parameters for DH... >> >> Well, I'm not sure how much more respected one can get than Daniel >> Kahn Gillmore, Stephen Farrell, Eric Recorla; or have better >> credentials than practicing cryptographers. >> >> How high is your bar :) > > Whom did I say were not highly respected cryptographers? > ... > I saw no posts in that thread arguing why fixed DH groups > would be a good thing. That's Gillmor's https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09. Its a set of fixed DH groups called out by name for use in TLS. Or are you talking about server certificates with fixed DH parameters? Jeff
