On Sat, Apr 20, 2024 at 04:12:48AM +, Peter Gutmann wrote:
> I realise that absence of evidence != evidence of absence, but in response to
> my previous request for anyone who has such a thing to comment on it, and even
> better to send me a sample so I can see one, no-one has mentioned, or
>
I realise that absence of evidence != evidence of absence, but in response to
my previous request for anyone who has such a thing to comment on it, and even
better to send me a sample so I can see one, no-one has mentioned, or
produced, even one example of "a legitimate CA-issued [static-epmeheral
On Mon, 15 Apr 2024 at 22:14, Joseph Salowey wrote:
>
> At IETF 119 we had discussion that static DH certificates lead to static key
> exchange which is undesirable. Although the current draft deprecates static
> DH ciphersuites, it seems that RFC 5246 allows the client to provide a
>
Yes.
(Draft coauthor here. FWIW, I'm not sure how much bandwidth I'll have to
continue moving the draft forward. Regardless, this sounds like a good idea
to me.)
On Mon, 15 Apr 2024 at 21:14, Joseph Salowey wrote:
> At IETF 119 we had discussion that static DH certificates lead to static
> key
Joseph Salowey writes:
>At IETF 119 we had discussion that static DH certificates lead to static key
>exchange which is undesirable.
Has anyone every seen one of these things, meaning a legitimate CA-issued one
rather than something someone ran up in their basement for fun? If you have,
can I
2024-04-15 20:14 GMT+02:00 Joseph Salowey :
> Should the draft deprecate these ClientCertificateTypes and mark the entries
> (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh) as 'D'
> discouraged?
Oh, yes.
___
TLS mailing list
On Tue, Apr 16, 2024, at 04:14, Joseph Salowey wrote:
> Should the draft deprecate these ClientCertificateTypes and mark the
> entries (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh)
> as 'D' discouraged?
Yes.
___
TLS mailing list
At IETF 119 we had discussion that static DH certificates lead to static key
exchange which is undesirable. Although the current draft deprecates static DH
ciphersuites, it seems that RFC 5246 allows the client to provide a certificate
with a static DH keypair to provide static parameters in
Yes.
-Ekr
On Mon, Apr 15, 2024 at 11:14 AM Joseph Salowey wrote:
> At IETF 119 we had discussion that static DH certificates lead to static
> key exchange which is undesirable. Although the current draft deprecates
> static DH ciphersuites, it seems that RFC 5246 allows the client to provide
At IETF 119 we had discussion that static DH certificates lead to static
key exchange which is undesirable. Although the current draft deprecates
static DH ciphersuites, it seems that RFC 5246 allows the client to provide
a certificate with a static DH keypair to provide static parameters in
10 matches
Mail list logo