> the latter is basically unexploitable with properly behaving hosts in TLSv1.2
Well, right, that's the trick. The issue that people have pointed out with FFDHE is that it's very easy to have a host that is not properly behaving (see RFC 7919, which is referenced in our draft). On Wed, Dec 21, 2022 at 5:14 AM Hubert Kario <hka...@redhat.com> wrote: > On Tuesday, 20 December 2022 19:37:14 CET, Rob Sayre wrote: > > On Tue, Dec 20, 2022 at 4:53 AM Hubert Kario <hka...@redhat.com> wrote: > > Thus the deprecation of it is a matter of taste, not > > cryptographic > > necessity. > > > > I'm sorry if I'm being dense here, but isn't all of this a > > SHOULD NOT in RFC 9325? > > > > > https://www.rfc-editor.org/rfc/rfc9325.html#name-recommendations-cipher-suit > > > > Maybe I'm misreading that RFC, but given that it's a BCP, it > > seems like deprecation is a natural step that reflects IETF > > consensus. > > that RFC marks both TLS_RSA_* and TLS_DHE_* as "SHOULD NOT". > Given that the former is still being exploited close to 25 years after the > Bleichenbacher attack was discovered, while the latter is basically > unexploitable with properly behaving hosts in TLSv1.2, I don't think it's > correct to consider them at the same level. > > Yes, if you have ECDHE available, you SHOULD NOT use DHE in TLSv1.2. But if > everything you have is either TLS_RSA_* and TLS_DHE_*, then you're far > better > of with TLS_DHE_*. > -- > Regards, > Hubert Kario > Principal Quality Engineer, RHEL Crypto team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
