Re: [TLS] draft-ietf-tls-rfc4346-04 available

["Yngve Nysaeter Pettersen" <yngve at opera.com>]

On Sun, 08 Jul 2007 16:50:51 +0200, Eric Rescorla  
<ekr at networkresonance.com> wrote:

> I just submitted draft-ietf-tls-rfc4346-04.
>
> Until it's in the repository, you can find it at:
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/tls/tls.txt
>
> The changes are:
>
>      - Added some guidance about checking DH groups and exponents.
>      [Issues 15 and 43]

I think this:

 "The client SHOULD also verify that the DH public exponent appears to be  
of adequate size."

ought to be worded stronger, perhaps something like

 "The client SHOULD also verify that the DH public exponent is of  
equvalent cryptograhic strength as the key used to sign the public key."

(Yesterday there were two reports to Opera about such weak keys at  
Hushmail)

This might also be phrased in a way that allows it to apply to other  
temporary key methods, as well.

Perhaps there should be some advice on what a client should do in case the  
key is considered too weak?

My suggestion would be that the client should renogiate with the ephemeral  
ciphersuites less preferred than non-ephemeral ciphersuites. The drawback  
is that this will make the negotiation process more complicated.

Another possibility would be to send the insufficient_security alert as a  
warning (which would require redefining the alert) even if the connection  
is accepted.

--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls