David Benjamin <david...@chromium.org> writes:
>Regardless, I don't think it's worth the time to define and deploy a fixed
>variant of TLS 1.2 DHE. We've already defined a successor twice over.
TLS 1.3 is a non-starter for lots of embedded stuff so that leaves ECDHE which
I assume is what you're referring to with "successor twice over". That as a
solution is a problem too for implementations that don't do ECC or if a
problem is ever found in the ECC algorithms... well, actually lots of problems
*have* been found in ECDSA/ECDH needing at least as many band-aids as FFDH [0]
so that's a bit of a tautology.
So it is worth fixing, and in particular it doesn't cost anything to say "do
this if you want to use DH safely".
Peter.
[0] I haven't totalled the score for both sides so this is an approximation.
Also a number of problems on both sides are due to poor implementations
rather than actual problems with the algorithms, so they may or may not
count.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
