Re: [TLS] Security today

To: Mike <mike-list at pobox.com>
Subject: Re: [TLS] Security today
From: Eric Rescorla <ekr at networkresonance.com>
Date: Fri, 28 Mar 2008 21:20:43 -0700
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <47EDC226.3080809 at pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303 at pobox.com> <0685A6ED2CB5D245B49DD0B07C3636CC2A8D543BC7 at NA-EXMSG-C104.redmond.corp.microsoft.com> <47EC57A2.4030109 at pobox.com> <47ED2BAB.2070508 at canola-jones.com> <47ED520E.80309 at pobox.com> <20080329010805.259641CB236 at kilo.rtfm.com> <47EDC226.3080809 at pobox.com>
Sender: tls-bounces at ietf.org
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

At Fri, 28 Mar 2008 21:14:30 -0700,
Mike wrote:
> 
> >> I think that it's become necessary for the TLS WG to put
> >> together a document with hard numbers in it for key lengths,
> >> relative strengths, expected lifetime for data protected by
> >> those keys/lengths/algorithms.
> > 
> > RFC 3766.
> 
> Thanks for the pointer to that document; I hadn't seen it before.
> However, the document I think we need would merely use that RFC
> as a (important) reference.  In particular it doesn't mention
> TLS at all or its key exchange mechanisms.  It also seems to be
> written for cryptographers, not your average programmer.
> 
> The things that I think need to be spelled out are things like
> forward secrecy.  For example, the RSA key for an RSA_* cipher
> suite needs to be much stronger than the RSA key for DHE_RSA_*
> since breaking the latter doesn't reveal anything about any
> past sessions, while breaking the former reveals everything
> about every past session.
>
> Also after breaking the key, you can passively listen in on any
> future sessions based on RSA_* without much risk of detection,
> but to get anything out of future DHE_RSA_* sessions, you need
> to actively insert yourself in the middle.

This is all well-known material amply covered in the cryptographic
literature. I don't see any benefit in the TLS WG rehashing
this territory.

-Ekr

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Eric Rescorla

References:
- [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Michael Howard
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Rodney Thayer
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Eric Rescorla
- Re: [TLS] Security today
  - From: Mike

Prev by Date: Re: [TLS] Security today
Next by Date: Re: [TLS] Security today
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread

Re: [TLS] Security today

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.