I agree with Viktor and Dave. RSA with keys greater at least 2048 bit is a good requirement that can be made of old and new implementations. Even if for some reason you’re stuck with OpenSSL 0.9.6 and thus with TLS 1.0 and 3DES, you can conform to this requirement. I think it would be a shame to make that requirement only of implementations while they’re using ChaCha.
And yes, there’s nothing more wrong with using ChaCha with 1024-bit RSA then there is with using AES with it. Yoav > On 10 Mar 2016, at 9:41 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > > Hiya, > > This is ready to go but I've one question. Sorry I don't > recall if this was discussed previously, if it was, then > just say and I'll move this along to IETF LC. > > My question is: Should the WG take the opportunity to more > tightly define the key exchange parameters for these > ciphersuites? > > For example, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 could > REQUIRE RSA keys with >=2048 bit moduli and one could go > further and say that this also REQUIRES use of specific > integer DH groups. Etc etc. Getting all that agreed might > take a wee while, so if the answer is "nah, no thanks, we don't > want to do that here," that's fine and I'll just start IETF > LC. I guess another way to handle that might be to say that > these ciphersuites REQUIRE that all relevant restrictions > from BCP195 be enforced. That'd maybe ensure the public key > stuff is all at good strength, but doing so might not be so > effective, in terms of trying to ensure these ciphersuites > aren't used with e.g. short RSA keys. > > Whatchacha think? > > Cheers, > S. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls