On Tue, Dec 20, 2022, at 23:52, Hubert Kario wrote: > use of FFDHE with large key sizes is the best protection against > store-and-decrypt-later attacks
This doesn't deprecate use of FFDHE in TLS 1.3, for which we have some ludicrously large named groups. Is that not enough? > If anything, RSA key exchange should be deprecated first. > RFC 8446 deprecated only the DSA ciphersuites, not RSA. This is an odd statement. TLS 1.3 ciphersuites no longer include the concept of key exchange or signing. If you are talking about the signing part, both were sort of deprecated. RSASSA-PKCS1_v1.5 (ugh, I hate typing that) is only usable within the certificate chain, not in the protocol. PSS was added back. However, for key exchange, which is more relevant to this conversation, RSA was indeed removed. And the draft we're discussing does indeed say that RSA key exchange in TLS 1.2 is deprecated. Can you help me better understand the scope of your objection? _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
