On Mon, 2018-11-05 at 21:24 -0500, Viktor Dukhovni wrote:
> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
> certificate that *only* lists:
>
> X509v3 Key Usage:
> Key Encipherment, Data Encipherment
>
> (which one might take to mean that only RSA key
> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into TLS
> was a mistake, and glad to see them gone in TLS 1.3.
I agree with the sentiment, but there is a concerted effort to bring fixed
(EC)DH to TLS 1.3:
> On Nov 12, 2018, at 4:45 AM, Tony Putman wrote:
>
> Can you please explain to me the problem with (EC)DH ciphers? If it's the
> lack of forward secrecy, then I understand. If there are other problems,
> then I would be keen to understand them.
As much as it was lack of forward-secrecy, it
Victor,
> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
> TLS was a mistake, and glad to see them gone in TLS 1.3.
Can you please explain to me the problem with (EC)DH ciphers? If it's the
lack of forward secrecy, then I understand. If there are other problems,
then
> On Nov 9, 2018, at 11:52 AM, Yoav Nir wrote:
>
>> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
>> TLS was a mistake, and glad to see them gone in TLS 1.3.
>
> FWIW RFC 8422 also deprecates them for TLS 1.2 and earlier.
Great! Thanks. I see that in:
5.5.
> On 9 Nov 2018, at 13:40, Viktor Dukhovni wrote:
>
>> On Nov 9, 2018, at 1:19 AM, Peter Gutmann wrote:
>>
>>> Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>>> used for encryption with ECIES.
>>
>> Sure, in theory, but in practice I've never seen an (EC)DH
> On Nov 9, 2018, at 1:19 AM, Peter Gutmann wrote:
>
>> Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>> used for encryption with ECIES.
>
> Sure, in theory, but in practice I've never seen an (EC)DH cert used in TLS
> (despite actively looking for one,
Nor have
Viktor Dukhovni writes:
>Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>used for encryption with ECIES.
Sure, in theory, but in practice I've never seen an (EC)DH cert used in TLS
(despite actively looking for one, since it'd be a collectors item for the
cert
> On Nov 8, 2018, at 5:27 PM, Peter Gutmann wrote:
>
>> Always enforce peer certificate key usage (separation) for ECDSA. ECDSA keys
>> are more brittle when misused.
>
> Since ECDSA can only do signing, isn't this a bit redundant? In other words
> you can't really not enforce keyUsage for a
Blumenthal, Uri - 0553 - MITLL writes:
>Always enforce peer certificate key usage (separation) for ECDSA. ECDSA keys
>are more brittle when misused.
Since ECDSA can only do signing, isn't this a bit redundant? In other words
you can't really not enforce keyUsage for a signature-only algorithm.
Yes to what Viktor proposed.
On 11/7/18, 11:27 PM, "TLS on behalf of Viktor Dukhovni" wrote:
> On Nov 7, 2018, at 6:07 PM, Geoffrey Keating wrote:
>
> n general, though, what you're asking is "The CA signing this key has
> instructed that I do not accept signatures made with
> On Nov 7, 2018, at 6:07 PM, Geoffrey Keating wrote:
>
> n general, though, what you're asking is "The CA signing this key has
> instructed that I do not accept signatures made with it. Is it OK to
> accept signatures made with it?" It's really hard to see how the
> answer to that could
On Wed, Nov 7, 2018 at 1:12 AM Viktor Dukhovni
wrote:
> [ Quoted text slightly reordered to put the RSA issue first, as that's
> the main thing I'm trying to get clarity on, and enabling keyUsage
> enforcement is causing some interoperability issues now... ]
>
> > On Nov 5, 2018, at 11:11
Geoffrey Keating wrote:
> Viktor Dukhovni writes:
>>
>> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
>> certificate that *only* lists:
>>
>> X509v3 Key Usage:
>> Key Encipherment, Data Encipherment
>
> Yes, because in DHE-RSA, the RSA key is used
Viktor Dukhovni writes:
> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
> certificate that *only* lists:
>
> X509v3 Key Usage:
> Key Encipherment, Data Encipherment
Yes, because in DHE-RSA, the RSA key is used for signing, and this is
an
TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
certificate that *only* lists:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
(which one might take to mean that only RSA key exchange is allowed,
and DHE-RSA is not, for lack of the
16 matches
Mail list logo
