idnits 2.17.1 draft-bartle-tls-deprecate-ffdhe-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 468 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (24 February 2021) is 1154 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 5469 (Obsoleted by RFC 8996) ** Downref: Normative reference to an Informational RFC: RFC 6209 ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) ** Downref: Normative reference to an Informational RFC: RFC 6367 -- Obsolete informational reference (is this intentional?): RFC 4492 (Obsoleted by RFC 8422) Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Bartle 3 Internet-Draft Apple, Inc. 4 Intended status: Standards Track N. Aviram 5 Expires: 28 August 2021 6 F. Valsorda 7 24 February 2021 9 Deprecating FFDH(E) Ciphersuites in TLS 10 draft-bartle-tls-deprecate-ffdhe-00 12 Abstract 14 This document deprecates and discourages use of finite field and 15 elliptic curve Diffie Hellman cipher suites that have known 16 vulnerabilities or improper security properties when implemented 17 incorrectly. 19 Discussion Venues 21 This note is to be removed before publishing as an RFC. 23 Discussion of this document takes place on the Transport Layer 24 Security Working Group mailing list (tls@ietf.org), which is archived 25 at https://mailarchive.ietf.org/arch/browse/tls/. 27 Source for this draft and an issue tracker can be found at 28 https://github.com/cbartle891/draft-deprecate-ffdhe. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 28 August 2021. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction 64 1.1. Requirements 65 2. Non-Ephemeral Diffie Hellman 66 3. Ephemeral Diffie Hellman 67 4. IANA Considerations 68 5. Security Considerations 69 6. Acknowledgments 70 7. References 71 7.1. Normative References 72 7.2. Informative References 73 Authors' Addresses 75 1. Introduction 77 TLS supports a variety of key exchange algorithms, including those 78 based on finite field and elliptic curve Diffie Hellman (DH) groups. 79 Each of these also come in ephemeral and non-ephemeral varieties. 80 Non-ephemeral DH algorithms use static DH public keys included in the 81 authenticating peer's certificate; see [RFC4492] for discussion. In 82 contrast, ephemeral DH algorithms use ephemeral DH public keys sent 83 in the handshake and authenticated by the peer's certificate. 84 Ephemeral and non-ephemeral finite field DH algorithms are called DHE 85 and DH, respectively, and ephemeral and non-ephemeral elliptic curve 86 DH algorithms are called ECDHE and ECDH, respectively [RFC4492]. 88 In general, non-ephemeral cipher suites are not recommended due to 89 their lack of forward secrecy. However, as demonstrated by the 90 [Raccoon] attack, public key reuse, either via non-ephemeral cipher 91 suites or reused keys with ephemeral cipher suites, can lead to 92 timing side channels that may leak connection secrets. (Note that 93 Raccoon only applies to finite field DH cipher suites, and not those 94 based on elliptic curves.) While these side channels can be avoided 95 in implementations, doing is demonstrably difficult given the 96 prevalence of related side channels in TLS implementations. 98 Given these problems, this document updates [RFC4346], [RFC5246], 99 [RFC4162], [RFC6347], [RFC5932], [RFC5288], [RFC6209], [RFC6367], 100 [RFC8422], [RFC5289], and [RFC5469] to deprecate, prohibiting and 101 discouraging, cipher suites with key reuse. 103 1.1. Requirements 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in 108 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 2. Non-Ephemeral Diffie Hellman 113 Clients MUST NOT offer non-ephemeral DH cipher suites in TLS 1.0, 114 1.1, and 1.2 connections. This includes all cipher suites listed in 115 the following table. 117 +==========================================+====================+ 118 | Ciphersuite | Reference | 119 +==========================================+====================+ 120 | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] | 121 +------------------------------------------+--------------------+ 122 | TLS_DH_DSS_WITH_DES_CBC_SHA | [RFC5469] | 123 +------------------------------------------+--------------------+ 124 | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | [RFC5246] | 125 +------------------------------------------+--------------------+ 126 | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] | 127 +------------------------------------------+--------------------+ 128 | TLS_DH_RSA_WITH_DES_CBC_SHA | [RFC5469] | 129 +------------------------------------------+--------------------+ 130 | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC5246] | 131 +------------------------------------------+--------------------+ 132 | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | [RFC4346][RFC6347] | 133 +------------------------------------------+--------------------+ 134 | TLS_DH_anon_WITH_RC4_128_MD5 | [RFC5246][RFC6347] | 135 +------------------------------------------+--------------------+ 136 | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] | 137 +------------------------------------------+--------------------+ 138 | TLS_DH_anon_WITH_DES_CBC_SHA | [RFC5469] | 139 +------------------------------------------+--------------------+ 140 | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | [RFC5246] | 141 +------------------------------------------+--------------------+ 142 | TLS_DH_DSS_WITH_AES_128_CBC_SHA | [RFC5246] | 143 +------------------------------------------+--------------------+ 144 | TLS_DH_RSA_WITH_AES_128_CBC_SHA | [RFC5246] | 145 +------------------------------------------+--------------------+ 146 | TLS_DH_anon_WITH_AES_128_CBC_SHA | [RFC5246] | 147 +------------------------------------------+--------------------+ 148 | TLS_DH_DSS_WITH_AES_256_CBC_SHA | [RFC5246] | 149 +------------------------------------------+--------------------+ 150 | TLS_DH_RSA_WITH_AES_256_CBC_SHA | [RFC5246] | 151 +------------------------------------------+--------------------+ 152 | TLS_DH_anon_WITH_AES_256_CBC_SHA | [RFC5246] | 153 +------------------------------------------+--------------------+ 154 | TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | [RFC5246] | 155 +------------------------------------------+--------------------+ 156 | TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5246] | 157 +------------------------------------------+--------------------+ 158 | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] | 159 +------------------------------------------+--------------------+ 160 | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] | 161 +------------------------------------------+--------------------+ 162 | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] | 163 +------------------------------------------+--------------------+ 164 | TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | [RFC5246] | 165 +------------------------------------------+--------------------+ 166 | TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | [RFC5246] | 167 +------------------------------------------+--------------------+ 168 | TLS_DH_anon_WITH_AES_128_CBC_SHA256 | [RFC5246] | 169 +------------------------------------------+--------------------+ 170 | TLS_DH_anon_WITH_AES_256_CBC_SHA256 | [RFC5246] | 171 +------------------------------------------+--------------------+ 172 | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] | 173 +------------------------------------------+--------------------+ 174 | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] | 175 +------------------------------------------+--------------------+ 176 | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] | 177 +------------------------------------------+--------------------+ 178 | TLS_DH_DSS_WITH_SEED_CBC_SHA | [RFC4162] | 179 +------------------------------------------+--------------------+ 180 | TLS_DH_RSA_WITH_SEED_CBC_SHA | [RFC4162] | 181 +------------------------------------------+--------------------+ 182 | TLS_DH_anon_WITH_SEED_CBC_SHA | [RFC4162] | 183 +------------------------------------------+--------------------+ 184 | TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5288] | 185 +------------------------------------------+--------------------+ 186 | TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5288] | 187 +------------------------------------------+--------------------+ 188 | TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | [RFC5288] | 189 +------------------------------------------+--------------------+ 190 | TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | [RFC5288] | 191 +------------------------------------------+--------------------+ 192 | TLS_DH_anon_WITH_AES_128_GCM_SHA256 | [RFC5288] | 193 +------------------------------------------+--------------------+ 194 | TLS_DH_anon_WITH_AES_256_GCM_SHA384 | [RFC5288] | 195 +------------------------------------------+--------------------+ 196 | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] | 197 +------------------------------------------+--------------------+ 198 | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] | 199 +------------------------------------------+--------------------+ 200 | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] | 201 +------------------------------------------+--------------------+ 202 | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] | 203 +------------------------------------------+--------------------+ 204 | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] | 205 +------------------------------------------+--------------------+ 206 | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] | 207 +------------------------------------------+--------------------+ 208 | TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | 209 +------------------------------------------+--------------------+ 210 | TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | 211 +------------------------------------------+--------------------+ 212 | TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | 213 +------------------------------------------+--------------------+ 214 | TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | 215 +------------------------------------------+--------------------+ 216 | TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | 217 +------------------------------------------+--------------------+ 218 | TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | 219 +------------------------------------------+--------------------+ 220 | TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | 221 +------------------------------------------+--------------------+ 222 | TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | 223 +------------------------------------------+--------------------+ 224 | TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | 225 +------------------------------------------+--------------------+ 226 | TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | 227 +------------------------------------------+--------------------+ 228 | TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | 229 +------------------------------------------+--------------------+ 230 | TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | 231 +------------------------------------------+--------------------+ 232 | TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | 233 +------------------------------------------+--------------------+ 234 | TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | 235 +------------------------------------------+--------------------+ 236 | TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | 237 +------------------------------------------+--------------------+ 238 | TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | 239 +------------------------------------------+--------------------+ 240 | TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | 241 +------------------------------------------+--------------------+ 242 | TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | 243 +------------------------------------------+--------------------+ 245 Table 1 247 Clients SHOULD NOT offer non-ephemeral ECDH cipher suites in TLS 1.0, 248 1.1, and 1.2 connections. This includes all cipher suites listed in 249 the following table. 251 +=============================================+====================+ 252 | Ciphersuite | Reference | 253 +=============================================+====================+ 254 | TLS_ECDH_ECDSA_WITH_NULL_SHA | [RFC8422] | 255 +---------------------------------------------+--------------------+ 256 | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] | 257 +---------------------------------------------+--------------------+ 258 | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] | 259 +---------------------------------------------+--------------------+ 260 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | [RFC8422] | 261 +---------------------------------------------+--------------------+ 262 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | [RFC8422] | 263 +---------------------------------------------+--------------------+ 264 | TLS_ECDH_RSA_WITH_NULL_SHA | [RFC8422] | 265 +---------------------------------------------+--------------------+ 266 | TLS_ECDH_RSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] | 267 +---------------------------------------------+--------------------+ 268 | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] | 269 +---------------------------------------------+--------------------+ 270 | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | [RFC8422] | 271 +---------------------------------------------+--------------------+ 272 | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | [RFC8422] | 273 +---------------------------------------------+--------------------+ 274 | TLS_ECDH_anon_WITH_NULL_SHA | [RFC8422] | 275 +---------------------------------------------+--------------------+ 276 | TLS_ECDH_anon_WITH_RC4_128_SHA | [RFC8422][RFC6347] | 277 +---------------------------------------------+--------------------+ 278 | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | [RFC8422] | 279 +---------------------------------------------+--------------------+ 280 | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | [RFC8422] | 281 +---------------------------------------------+--------------------+ 282 | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | [RFC8422] | 283 +---------------------------------------------+--------------------+ 284 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | [RFC5289] | 285 +---------------------------------------------+--------------------+ 286 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | [RFC5289] | 287 +---------------------------------------------+--------------------+ 288 | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5289] | 289 +---------------------------------------------+--------------------+ 290 | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | [RFC5289] | 291 +---------------------------------------------+--------------------+ 292 | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | [RFC5289] | 293 +---------------------------------------------+--------------------+ 294 | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | [RFC5289] | 295 +---------------------------------------------+--------------------+ 296 | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5289] | 297 +---------------------------------------------+--------------------+ 298 | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5289] | 299 +---------------------------------------------+--------------------+ 300 | TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | 301 +---------------------------------------------+--------------------+ 302 | TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | 303 +---------------------------------------------+--------------------+ 304 | TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | 305 +---------------------------------------------+--------------------+ 306 | TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | 307 +---------------------------------------------+--------------------+ 308 | TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | 309 +---------------------------------------------+--------------------+ 310 | TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | 311 +---------------------------------------------+--------------------+ 312 | TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | 313 +---------------------------------------------+--------------------+ 314 | TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | 315 +---------------------------------------------+--------------------+ 316 | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] | 317 +---------------------------------------------+--------------------+ 318 | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] | 319 +---------------------------------------------+--------------------+ 320 | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] | 321 +---------------------------------------------+--------------------+ 322 | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] | 323 +---------------------------------------------+--------------------+ 324 | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | 325 +---------------------------------------------+--------------------+ 326 | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | 327 +---------------------------------------------+--------------------+ 328 | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | 329 +---------------------------------------------+--------------------+ 330 | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | 331 +---------------------------------------------+--------------------+ 333 Table 2 335 3. Ephemeral Diffie Hellman 337 Clients and servers MUST NOT reuse ephemeral DHE or ECDHE public keys 338 across TLS connections for all existing (and future) TLS versions. 339 Doing so invalidates forward secret properties of these connections. 340 In the case of DHE (finite field DH) cipher suites, such reuse may 341 also lead to vulnerabilities such as those use in the [Raccoon] 342 attack. See Section 5 for related discussion. 344 4. IANA Considerations 346 This document makes no requests to IANA. All cipher suites listed in 347 Section 2 are already marked as not recommended in the "TLS Cipher 348 Suites" registry. 350 5. Security Considerations 352 Non-ephemeral finite field DH cipher suites (TLS_DH_*), as well as 353 ephemeral key reuse for finite field DH cipher suites, are prohibited 354 due to the [Raccoon] attack. Both are already considered bad 355 practice since they do not provide forward secrecy. However, Raccoon 356 revealed that timing side channels in processing TLS premaster 357 secrets may be exploited to reveal the encrypted premaster secret. 359 Raccoon does not apply to non-ephemeral elliptic curve DH suites, 360 since the same timing side channel does not exist. However, such re- 361 use is still discouraged, and thus deprecated in this document. 363 6. Acknowledgments 365 This document was inspired by discussion on the TLS WG mailing list 366 and a suggestion by Filippo Valsorda following release of the 367 [Raccoon] attack. 369 7. References 371 7.1. Normative References 373 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 374 Requirement Levels", BCP 14, RFC 2119, 375 DOI 10.17487/RFC2119, March 1997, 376 . 378 [RFC4162] Lee, H.J., Yoon, J.H., and J.I. Lee, "Addition of SEED 379 Cipher Suites to Transport Layer Security (TLS)", 380 RFC 4162, DOI 10.17487/RFC4162, August 2005, 381 . 383 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 384 (TLS) Protocol Version 1.1", RFC 4346, 385 DOI 10.17487/RFC4346, April 2006, 386 . 388 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 389 (TLS) Protocol Version 1.2", RFC 5246, 390 DOI 10.17487/RFC5246, August 2008, 391 . 393 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 394 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 395 DOI 10.17487/RFC5288, August 2008, 396 . 398 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 399 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 400 DOI 10.17487/RFC5289, August 2008, 401 . 403 [RFC5469] Eronen, P., Ed., "DES and IDEA Cipher Suites for Transport 404 Layer Security (TLS)", RFC 5469, DOI 10.17487/RFC5469, 405 February 2009, . 407 [RFC5932] Kato, A., Kanda, M., and S. Kanno, "Camellia Cipher Suites 408 for TLS", RFC 5932, DOI 10.17487/RFC5932, June 2010, 409 . 411 [RFC6209] Kim, W., Lee, J., Park, J., and D. Kwon, "Addition of the 412 ARIA Cipher Suites to Transport Layer Security (TLS)", 413 RFC 6209, DOI 10.17487/RFC6209, April 2011, 414 . 416 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 417 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 418 January 2012, . 420 [RFC6367] Kanno, S. and M. Kanda, "Addition of the Camellia Cipher 421 Suites to Transport Layer Security (TLS)", RFC 6367, 422 DOI 10.17487/RFC6367, September 2011, 423 . 425 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 426 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 427 May 2017, . 429 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 430 Curve Cryptography (ECC) Cipher Suites for Transport Layer 431 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 432 DOI 10.17487/RFC8422, August 2018, 433 . 435 7.2. Informative References 437 [Raccoon] Merget, R., Brinkmann, M., Aviram, N., Somorovsky, J., 438 Mittmann, J., and J. Schwenk, "Raccoon Attack: Finding and 439 Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)", 1 440 August 2012, 441 . 443 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 444 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 445 for Transport Layer Security (TLS)", RFC 4492, 446 DOI 10.17487/RFC4492, May 2006, 447 . 449 Authors' Addresses 451 Carrick Bartle 452 Apple, Inc. 454 Email: cbartle@apple.com 456 Nimrod Aviram 458 Email: nimrod.aviram@gmail.com 460 Filippo Valsorda 462 Email: ietf@filippo.io