Re: [TLS] Security today

To: Mike <mike-list at pobox.com>
Subject: Re: [TLS] Security today
From: Eric Rescorla <ekr at networkresonance.com>
Date: Sat, 29 Mar 2008 10:40:54 -0700
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <47EE7CDE.4080106 at pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303 at pobox.com> <8E5D6D9B-C7CC-4687-9BD5-586856D3A9C7 at checkpoint.com> <47ED921E.9050305 at pobox.com> <E52894BF-D52F-464F-8E61-23335E93A3FF at checkpoint.com> <47EE70BB.3000205 at pobox.com> <20080329165734.252F71CCCAD at kilo.rtfm.com> <47EE792D.4080307 at pobox.com> <20080329172441.435281CCE10 at kilo.rtfm.com> <47EE7CDE.4080106 at pobox.com>
Sender: tls-bounces at ietf.org
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

At Sat, 29 Mar 2008 10:31:10 -0700,
Mike wrote:
> 
> >>> 3. The major servers support ephemeral DH, as do many clients.
> >> This is where you are wrong.  Here is a list of servers that will
> >> not negotiate DHE_RSA with any of AES128, AES256, or DES3:
> > 
> > I'm talking about the implementations, not the server operators. 
> > The server operators have chosen not to turn it on.
> 
> And that is precisely why they need a document telling them just
> how damaging that choice is.  Which do you think will get more
> attention, a whitepaper outlining the dangers of not using DHE
> preferentially, written by some random guy named Mike, or the
> same paper with the backing of the TLS WG of the IETF Internet
> Security area?

But the document *does* tell them exactly how damaging the choice
is. It says (S F.1.1.2.):

   With RSA, key exchange and server authentication are combined. The
   public key is contained in the server's certificate.  Note that
   compromise of the server's static RSA key results in a loss of
   confidentiality for all sessions protected under that static key. TLS
   users desiring Perfect Forward Secrecy should use DHE cipher suites.
   The damage done by exposure of a private key can be limited by
   changing one's private key (and certificate) frequently.

You seem to want us to go beyond that to tell them that they should
not use these modes, but that's not our job. 

-Ekr

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Yoav Nir
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Yoav Nir
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Eric Rescorla
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Eric Rescorla
- Re: [TLS] Security today
  - From: Mike

Prev by Date: Re: [TLS] Security today
Next by Date: Re: [TLS] Next steps for Client Certificate URL
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread

Re: [TLS] Security today

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.