On Fri, Jun 20, 2014 at 8:16 PM, Peter Gutmann <[email protected]> wrote: > Trevor Freeman <[email protected]> writes: > >>* if I negotiate TLS 1.2, with EC, PFS, AES GCM, then that would be a >>best practice > > Why not DH+RSA and AES with EtM? I can make a good argument for those (the > DLP-based cryptosystems are extremely vulnerable to implementation issues that > tend to make them leak their private key, ECDSA doesn't have RSA's nice > asymmetric properties that make it amenable to use on low-power clients, and > everything does RSA but not everything does ECDH/ECDSA).
Performance matters: many servers don't support DH+RSA for performance reasons, requiring ECDH instead. If clients don't support it, the fallback is to non-PFS suites. Clients don't validate DH parameters, and there is no list to check against, which needs to be fixed before we can recommend them. Sincerely, Watson Ladd > > Peter. > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
