[TLS] Should we support static RSA in TLS 1.3?
Eric Rescorla <ekr@rtfm.com> Sun, 17 November 2013 00:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF2411E8105 for <tls@ietfa.amsl.com>; Sat, 16 Nov 2013 16:47:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.976
X-Spam-Level:
X-Spam-Status: No, score=-102.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PxVuzdsJ9LuR for <tls@ietfa.amsl.com>; Sat, 16 Nov 2013 16:47:47 -0800 (PST)
Received: from mail-we0-f170.google.com (mail-we0-f170.google.com [74.125.82.170]) by ietfa.amsl.com (Postfix) with ESMTP id 52AE011E80E2 for <tls@ietf.org>; Sat, 16 Nov 2013 16:47:47 -0800 (PST)
Received: by mail-we0-f170.google.com with SMTP id w61so1220626wes.29 for <tls@ietf.org>; Sat, 16 Nov 2013 16:47:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=2bsfKxHAdxhul+TDLnYB+uRu3yWtAJKlZtl6NmVcaFU=; b=MeCL3APRjFXsG7Ay9acIhevqZ24unHRTg8vXBkdUBcY04w+pWgfYMnswQJnW6shyqZ dVULdxc3fCiCq8ev4p+pNw6VFI52IyDWw78/TWfehhSQKia8q1NJFufhiy2Ucoef5NOR cwLlQIsNN+3dRM7MrFIjxflZexdqysQ0PsSzp77VLcLBDoXBIisvcGI+r4sz6W63gwSM rhGjBhfNKUrNmUT4D5s4ews9C3NWDSMijZnr2j43QRGqoboLnAWdCUwbWNsFXgshHNMh pI7Cj49YAg7myDK79L8YbVC9gDx241qU8lniGy1NvT/VXedrW7zl4UEM2kj/SiRZbu6c gD0Q==
X-Gm-Message-State: ALoCoQnZqGFh6p4zP0oyrRlnVTc7/ET5mm4pdcGUEwgB75k6/LdIGMxF+joAqXIH9LaDFdzpL8pi
X-Received: by 10.194.93.3 with SMTP id cq3mr11913924wjb.26.1384649264688; Sat, 16 Nov 2013 16:47:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.152.137 with HTTP; Sat, 16 Nov 2013 16:47:04 -0800 (PST)
X-Originating-IP: [74.95.2.168]
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 16 Nov 2013 16:47:04 -0800
Message-ID: <CABcZeBN3WPigLn-ggm2YGTcPEwn8G-1ecRAxdCtK3ueuUPF09Q@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bb048228f8a4404eb54c71f"
Subject: [TLS] Should we support static RSA in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 00:47:54 -0000
One of the topics we didn't really get to in Vancouver was the fate of the static RSA ciphersuites. We'll eventually need to decide on this for TLS 1.3. Note that this isn't a question of either of the following: * Removal of RSA from TLS 1.2 and below. There are still plenty of clients which only do static RSA and we can't actually break them for a long time. * Removal of the use of RSA certificates: we would still almost certainly need ephemeral cipher suites where the server uses their RSA key for authentication, just like in the current RSA_DHE and RSA_ECDHE cipher suites. The question is only for TLS 1.3 and only for static RSA. (If you think differently, please raise on another thread.) This message tries to summarize what I take to be the main arguments for and against. Static RSA has obvious deficiencies: - It doesn't offer forward security. - The larger key lengths that are required for security are increasingly uncompetitive with other algorithms (principally EC). Additionally, since we know we want to offer ephemeral key agreement modes such as DHE (see the recommendations in http://tools.ietf.org/html/draft-sheffer-tls-bcp-01) it would reduce complexity to *only* offer such modes rather than having to support static RSA as well. This isn't a no-brainer, though. Static RSA is still by far the dominant key exchange algorithm and if you have an RSA certificate, is strictly faster than any ephemeral suite. So, we're asking everyone to take a performance hit at the same time as we're trying to make TLS faster; of course this is a computational cost rather than one of network latency, but there are still applications where that matters, especially in constrained devices. There are also some settings where PFS is actually undesirable, especially for diagnosis and monitoring. In this settings, it's much more convenient to simply provide the monitoring device with the server key. ssldump and wireshark, for instance, both provide this feature. Please use this thread to discuss. -Ekr
- [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Phillip Hallam-Baker
- Re: [TLS] Should we support static RSA in TLS 1.3? Geoffrey Keating
- Re: [TLS] Should we support static RSA in TLS 1.3? Watson Ladd
- Re: [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Watson Ladd
- Re: [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] Should we support static RSA in TLS 1.3? Andy Lutomirski
- Re: [TLS] Should we support static RSA in TLS 1.3? Geoffrey Keating
- Re: [TLS] Should we support static RSA in TLS 1.3? Andy Lutomirski
- Re: [TLS] Should we support static RSA in TLS 1.3? Phillip Hallam-Baker
- Re: [TLS] Should we support static RSA in TLS 1.3? Marsh Ray
- Re: [TLS] Should we support static RSA in TLS 1.3? Peter Gutmann