David Benjamin <david...@chromium.org> writes: >Regardless, I don't think it's worth the time to define and deploy a fixed >variant of TLS 1.2 DHE. We've already defined a successor twice over.
TLS 1.3 is a non-starter for lots of embedded stuff so that leaves ECDHE which I assume is what you're referring to with "successor twice over". That as a solution is a problem too for implementations that don't do ECC or if a problem is ever found in the ECC algorithms... well, actually lots of problems *have* been found in ECDSA/ECDH needing at least as many band-aids as FFDH [0] so that's a bit of a tautology. So it is worth fixing, and in particular it doesn't cost anything to say "do this if you want to use DH safely". Peter. [0] I haven't totalled the score for both sides so this is an approximation. Also a number of problems on both sides are due to poor implementations rather than actual problems with the algorithms, so they may or may not count. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls