Re: [TLS] KeyUpdate and unbounded write obligations

2016-08-19 Thread Keith Winstein
On Fri, Aug 19, 2016 at 11:05 AM, Adam Langley wrote: > I don't think that a device can ensure that the other side doesn't get > compromised. Even if it rotates keys, there are plenty of ways that a well > meaning implementation could fail to erase them: copying GCs,

Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

2016-08-19 Thread David Benjamin
On Fri, Aug 19, 2016 at 2:35 PM Geoffrey Keating wrote: > Peter Gutmann writes: > > > The problem is that 7919 doesn't say "I want to do DHE, if possible > > with these parameters", it says "I will only accept DHE if you use > > these parameters,

Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

2016-08-19 Thread Geoffrey Keating
Peter Gutmann writes: > The problem is that 7919 doesn't say "I want to do DHE, if possible > with these parameters", it says "I will only accept DHE if you use > these parameters, otherwise you cannot use DHE but must drop back to > RSA". Talk about cutting off your

Re: [TLS] KeyUpdate and unbounded write obligations

2016-08-19 Thread Adam Langley
On Thu, Aug 18, 2016 at 5:18 PM, Keith Winstein wrote: > Yeah, our reasoning follows yours and goes a little further: > > 4) I don't know when I'm going to wake up again. > 5) I don't want a subsequent compromise of me *or* the other side to > reveal prior plaintext from

Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

2016-08-19 Thread Watson Ladd
On Fri, Aug 19, 2016 at 6:03 AM, Peter Gutmann wrote: > Ilari Liusvaara writes: > >>AFAIK, that failure can only happen if at least one of: > > [...] > > New groups are introduced but the server or client only support the old ones. > So the

Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

2016-08-19 Thread Ilari Liusvaara
On Fri, Aug 19, 2016 at 01:03:22PM +, Peter Gutmann wrote: > Ilari Liusvaara writes: > > >AFAIK, that failure can only happen if at least one of: > > [...] > > New groups are introduced but the server or client only support the old ones. > So the server does

Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

2016-08-19 Thread Peter Gutmann
Ilari Liusvaara writes: >AFAIK, that failure can only happen if at least one of: [...] New groups are introduced but the server or client only support the old ones. So the server does ffdhe2048, the client does ffdhe2048', both are quite happy to do DHE-2048 but as a

Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

2016-08-19 Thread Peter Gutmann
Bodo Moeller writes: >Peter, so your complaint is about the lack of support for explicitly >specified (non-"named") groups? It's the lack of support for DHE unless it's the exact parameters the server wants. At the moment if your implementation wants to use DHE (which pretty