In cryptography, adherence to standards is not just procedural, it’s often essential for maintaining security. When implementations treat compliance as a smorgasbord of optional requirements, it becomes extremely difficult to analyze their security in larger systems. When I see an implementations referring to AES-GCM or ML-KEM, I expect full compliance with all NIST requirements associated with those algorithms.
As I said, the example I encountered in telecom was an implementation supporting TLS_RSA_WITH_AES_128_CBC_SHA just because it is MTI in RFC 5246. Unclear how much it was used. >It's because of the "DHE bad" meme from a few years ago which resulted in >people turning off all the DHE suites and so what was left standing was RSA. IETF has still not published draft-ietf-tls-deprecate-obsolete-kex as an RFC, and anyone genuinely interested in staying current should have added support for ECDHE before or when RFC 7525 was published back in 2015. I agree that people doing crypto profiling by reading Twitter is problematic. Cheers, John On 2025-10-22, 05:11, "Peter Gutmann" <[email protected]> wrote: John Mattsson <[email protected]<mailto:[email protected]>> writes: >There are many TLS 1.2 implementations supporting >TLS_RSA_WITH_AES_128_CBC_SHA (Static RSA key exchange, AES-CBC in MtE >composition, and SHA-1) just because it is MTI in RFC 5246. Every time I've encountered RSA suites still used today (and it's not uncommon, e.g. in wholesale banking) it has nothing to do with RFC 5246 which the people using the suites barely know exists, let alone any MTI stuff buried in some appendix at the end which may as well be invisible. It's because of the "DHE bad" meme from a few years ago which resulted in people turning off all the DHE suites and so what was left standing was RSA. So the lesson from this isn't "don't do MTI", it's "don't issue a blanket ban on an entire cipher family just because someone found one or two buggy implementations of it somewhere". Peter.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
