Re: [TLS] Mail regarding draft-ietf-tls-tls13
Ben Personick wrote: > > (My apology for the long email, I did not have time to write a shorter one) > We are currently evaluating when to begin offering ECC Certificates > based cypto on our websites. > > Despite the advantages to doing this in TLS 1.2, there is a lot of > push-back to wait until we "have to support it" once the TLS 1.3 draft > is published, and the option to use it becomes available. Honestly, why would you want to do this? ECC/RSA Dual Cert setups a cryptographically a bad idea, and a real nuisance for interoperability. Elliptic Curve Crypto, when used with the design-flawed ECDSA digital signature algorithm, might leak the private key within a few thousand TLS full handshakes to a mere passive observer. Support for EdDSA is somewhere between thin and non-existent still. And for programmatic TLS clients, which take security serious, and do not come with hundreds of public CA certificates preconfigured as trusted, a sudden change of the TLS server certificate when rearranging TLS cipher suites or when the underlying TLS implementation starts include support for ECDSA certificates, can easily result in a sudden unexpected loss of interop (missing trust). Testing that you have the required trust properly configured for *BOTH* TLS server certs is a royal pita, and _preparing_ for a TLS client software update that adds support for ECDSA cipher suites is pretty much impossible to test (unless you already have that implementation, but that is not what I meant with preparing). -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
Hi Rich, Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d been lead to believe that all RSA based ciphers were not supported. Having seem some further responses, it appears it is only the NON ECDHE RSA Based ciphers which are having support dropped in TLS 1.3 Ie all Non-Elliptic Curve Diffie Hellman ciphers ( eg AES-256 w/o DH, with DH or EDH/DHE, but not ECDHE_RSA) And yeah, it’s been my experience everywhere, but I was pretty pumped up to have a better reason to push to start implementing ECDHE_ECDSA Ciphers in addition to our existing Ciphers. Ben From: Salz, Rich [mailto:rs...@akamai.com] Sent: Tuesday, June 19, 2018 11:07 AM To: Ben Personick ; TLS WG Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no > push to move towards offering them, because of various 'reasons'. I think you mean ECDH with RSA. But yes, that’s a common situation, few organizations pay to add security until they’re “forced” to do so. You’re not alone. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
> Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no > push to move towards offering them, because of various 'reasons'. I think you mean ECDH with RSA. But yes, that’s a common situation, few organizations pay to add security until they’re “forced” to do so. You’re not alone. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Mail regarding draft-ietf-tls-tls13
On Monday, 18 June 2018 21:10:05 CEST Ben Personick wrote: > I can only support ecdsa_rsa unless I have an ECC certificate to support > ecsda_ecsde ciphers. that is software limitation, not protocol limitation > Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no > push to move towards offering them, because of various 'reasons'. technically, there are no ecdsa_rsa, ecdhe_rsa or ecdhe_ecdsa ciphers in TLS 1.3, the signature over key exchange is guided by the signature_algorithms extensions only, cipher suite does not influence it > Ben > > > From: Viktor Dukhovni > Sent: Monday, June 18, 2018 12:32 > To: Ben Personick > Cc: TLS WG > Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > > > On Jun 18, 2018, at 9:10 AM, Ben Personick > > wrote: > > > > There is a common thread circulating, that all support for RSA > > Certificates/Ciphers are dropped in TLS 1.3. > This is not the case. > > > As I wrote in the last email, I am aware we can implemenet ECC certs and > > ciphers in TLS 1.2, along side RSA certs/ciphers, however there is a > > consistent fear of breaking what already works by moving onto offering > > both an ECC and RSA certificate and corrosponding ciphers. > You should at least support verifying ECDSA certificates on the client > side, some servers your client software might connect to may have only > ECDSA certificates. On the server side you can continue to use RSA > certificates if you wish. While ECDSA is faster on the server, there > are still some clients (perhaps yours among them) that only support RSA, > and so you'd need to have both RSA and ECDSA certificates, which is > operationally a bit more challenging. > > -- > Viktor. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic signature.asc Description: This is a digitally signed message part. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
