Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hi Victor, We've never supported DHE, and are skipping it to ECDHE as DHE is considered by our security scans to be too insecure (as our LB's implementation is capped at 1024 bit ephemerals) From: Viktor Dukhovni Sent: Tuesday, June 19, 2018 1:07 PM To: Ben Personick Cc: TLS WG Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > On Jun 19, 2018, at 11:17 AM, Ben Personick > wrote: > > Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d > been lead to believe that all RSA based ciphers were not supported. > > Having seem some further responses, it appears it is only the NON ECDHE RSA > Based ciphers which are having support dropped in TLS 1.3 I may have been too cryptic. When I wrote (EC)DHE I meant both DHE and ECDHE. However, some (early) implementations may only support ECDHE with TLS 1.3. IIRC, OpenSSL 1.1.1 does not yet support the TLS 1.3 DHE groups. So interoperability if you only support DHE may be problematic. -- Viktor. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hi Rich, Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d been lead to believe that all RSA based ciphers were not supported. Having seem some further responses, it appears it is only the NON ECDHE RSA Based ciphers which are having support dropped in TLS 1.3 Ie all Non-Elliptic Curve Diffie Hellman ciphers ( eg AES-256 w/o DH, with DH or EDH/DHE, but not ECDHE_RSA) And yeah, it’s been my experience everywhere, but I was pretty pumped up to have a better reason to push to start implementing ECDHE_ECDSA Ciphers in addition to our existing Ciphers. Ben From: Salz, Rich [mailto:rs...@akamai.com] Sent: Tuesday, June 19, 2018 11:07 AM To: Ben Personick ; TLS WG Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no > push to move towards offering them, because of various 'reasons'. I think you mean ECDH with RSA. But yes, that’s a common situation, few organizations pay to add security until they’re “forced” to do so. You’re not alone. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hello Tony, So essentially TLS 1.3 drops support for DH/DHE ciphers on RSA keys, but willl otherwise work as expected? Ben From: Tony Arcieri Sent: Monday, June 18, 2018 11:36 To: Ben Personick Cc: Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 On Mon, Jun 18, 2018 at 6:30 AM Ben Personick mailto:ben.person...@iongroup.com>> wrote: There is a common thread circulating, that all support for RSA Certificates/Ciphers are dropped in TLS 1.3. RSA certificates will continue to work in TLS 1.3+. What will not be supported in TLS 1.3+ is RSA key transport / key encipherment (which lacks forward secrecy, among other problems). However, this is a property of how the protocol does key exchange / key agreement and has nothing to do with certificates. -- Tony Arcieri ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hello Viktor, I am only concerned with offereing newer , faster, and more secure cipher suites on our web application, so that as clients have the ability to use them they can begin to do so. Our LB offers a method to present baoth an RSA and ECC cert at thw aame time, at the cost of buying both each year. I can only support ecdsa_rsa unless I have an ECC certificate to support ecsda_ecsde ciphers. Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no push to move towards offering them, because of various 'reasons'. Ben From: Viktor Dukhovni Sent: Monday, June 18, 2018 12:32 To: Ben Personick Cc: TLS WG Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > On Jun 18, 2018, at 9:10 AM, Ben Personick wrote: > > There is a common thread circulating, that all support for RSA > Certificates/Ciphers are dropped in TLS 1.3. This is not the case. > As I wrote in the last email, I am aware we can implemenet ECC certs and > ciphers in TLS 1.2, along side RSA certs/ciphers, however there is a > consistent fear of breaking what already works by moving onto offering both > an ECC and RSA certificate and corrosponding ciphers. You should at least support verifying ECDSA certificates on the client side, some servers your client software might connect to may have only ECDSA certificates. On the server side you can continue to use RSA certificates if you wish. While ECDSA is faster on the server, there are still some clients (perhaps yours among them) that only support RSA, and so you'd need to have both RSA and ECDSA certificates, which is operationally a bit more challenging. -- Viktor. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hello Sean Thanks for the explination. :) Ben From: Sean Turner Sent: Saturday, June 16, 2018 11:04 PM To: Ben Personick Cc: tls@ietf.org Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > On Jun 12, 2018, at 16:15, Ben Personick wrote: > > I have read some articles saying the draft is approved, but on looking it > seems not to be, I am a little unsure why the draft has been stuck in this > seemingly nearly finished but not quite ready state for 3 months. The draft has been approved by the IESG. Once a draft is approved it moves over to the RFC editor (and there’s some IANA review too); here’s a link to the RFC editorial process [0]; here’s a link to their publication queue [1]. 3 months is about what I expected in terms of wait post approval.. We’re nearly there. spt [0] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Fpubprocess%2F=02%7C01%7Cben.personick%40iongroup.com%7Ca655a0eeead9423fbd0408d5d3ff13d0%7C768fe7d4ebee41a79851d5825ecdd396%7C0%7C1%7C636648014877571083=P7w%2BqRt4H8tqJaRkG%2FoQJg8%2FJMDABTe6BAcgx33JWEU%3D=0 [1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Fcurrent_queue.php=02%7C01%7Cben.personick%40iongroup.com%7Ca655a0eeead9423fbd0408d5d3ff13d0%7C768fe7d4ebee41a79851d5825ecdd396%7C0%7C1%7C636648014877571083=IxdHA4%2FTBCy%2BugEOcO37Rx4nDiRXOCSIAQOLlXtVSmQ%3D=0 ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hello Viktor, Thanks for your thoughtful reply. I haven't read the draft itself, only the articals which point to it. There is a common thread circulating, that all support for RSA Certificates/Ciphers are dropped in TLS 1.3. As I wrote in the last email, I am aware we can implemenet ECC certs and ciphers in TLS 1.2, along side RSA certs/ciphers, however there is a consistent fear of breaking what already works by moving onto offering both an ECC and RSA certificate and corrosponding ciphers. If TLS 1.3 does support RSA certs, that removes the drive to begin offering ecdhe_ecdsa alongside ecdhe_rsa, which essentially moves it back to the "Do not need to implement pile", which will not tick forward into the "must implement" pile until it is absolutely required. I was sincerely hoping to be able to use the expected "end of ths RSA Cert" to move us there in preparation of supporting TLS 1.3 and for once be ahead of the curve instead of implemementing what seems to be superiod encryption methods much later. Ben From: Viktor Dukhovni Sent: Saturday, June 16, 2018 11:31 PM To: Ben Personick Cc: tls@ietf.org Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > On Jun 12, 2018, at 4:15 PM, Ben Personick wrote: > > We are currently evaluating when to begin offering ECC Certificates based > cypto on our websites. > > Despite the advantages to doing this in TLS 1..2, there is a lot of push-back > to wait until we “have to support it” once the TLS 1.3 draft is published, > and the option to use it becomes available. I am puzzled why you feel you have to support ECC certificates with TLS 1.3, and yet not for TLS 1.2? RSA certificates continue to be supported in TLS 1.3, and ECDSA certificates are well supported in TLS 1.2. Are you referring to deploying ECC certificates in your server software, or interoperating with ECC servers in your client software? If the latter, then indeed you should start to support servers that can only present ECDSA, rather than RSA, certificates. And do so with both TLS 1.2 and TLS 1.3, it is not clear why you'd wait for TLS 1.3 to be published. (We can party when it comes out, but that should not IMHO hold up implementations of ECDSA support). -- -- Viktor. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] Mail regarding draft-ietf-tls-tls13
Dear Sirs at the IETF, (My apology for the long email, I did not have time to write a shorter one) We are currently evaluating when to begin offering ECC Certificates based cypto on our websites. Despite the advantages to doing this in TLS 1.2, there is a lot of push-back to wait until we "have to support it" once the TLS 1.3 draft is published, and the option to use it becomes available. I have read some articles saying the draft is approved, but on looking it seems not to be, I am a little unsure why the draft has been stuck in this seemingly nearly finished but not quite ready state for 3 months. Surely if there were some way I could move this project forward I would, but I am not an IETF member, so it seems my only option is to politely enquire with you and note that at least some of us are stuck using only RSA crypto until such time as this draft gets finished, and provides us with the needed emphasis to push our organizations to implement ECC cert cryptos "in preparation to support tls 1.3" as it will actually be a standard. I have been pushing for us to begin to proffer ECC certificate based crypto for some time, but until TLS 1.3 is finally accepted as a standard we will continue to see a lot of push-back here, and I suspect this is not unique to our organization, and is likely partially responsible for strangely the slow adoption on the ECDSA cipher support. Do we have any realistic Idea of when this proposal will become approved? Knowing it is happening, will give me the push I need to get us to buy an implement an ECC Certificate alongside our RSA Cert as we move forward so that we can be "ready for tls 1.3" Thanks, Ben ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls