Re: Ciphersuites (was Re: Mandatory to implement cipher suites) from Brian Smith on 2014-07-20 (ietf-http-wg@w3.org from July to September 2014)

From: Brian Smith <brian@briansmith.org>
Date: Sat, 19 Jul 2014 21:26:05 -0700
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Yoav Nir <ynir.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAFewVt6yKKevNv93i5q43Mazy5Ph6rZ5Cos77ACLeYamYv0daQ@mail.gmail.com>

On Sat, Jul 19, 2014 at 2:16 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> On Sat, Jul 19, 2014 at 12:33 PM, Brian Smith <brian@briansmith.org> wrote:
>> Also, I am
>> concerned that encouraging or mandating any TLS_DHE_* cipher suites
>> may cause complications for the 1-RTT and/or 0-RTT handshakes in TLS
>> 1.3. In particular, I am concerned that it may be too inefficient to
>> presumptuously generate ephemeral DHE keypairs for use in the
>> ClientHello, especially in addition to one or more ECDHE keys that
>> will have to be presumptuously generated too.

<snip>

> Of course, it's possible that if we make a number of different groups
> MTI, that there will be disjoint sets of server support and that therefore
> clients will have to send a lot of shares or run the risk of multiple
> round trips. However, I don't think that's made much more likely
> by specifying integer DHE.

This is exactly my concern, but I do not share your optimism. Also,
Mozilla was able to convince multiple vendors to accelerate the
process of shipping ECDHE support and/or backporting ECDHE support to
older products, in part by having an open discussion of our cipher
suite policies, and in part by refusing to support the non-ECDHE
AES-GCM cipher suites. Debian is a good example of that because
there's nothing confidential about that case: First, they asked us to
enable non-ECDHE AES-GCM support, and we refused. That, at least in
part, motivated them to make an exception to their backporting policy,
and they just recently released a backport of Apache 2.2 with ECDHE
support to Debian Stable.

Consequently, there's evidence that shows that insisting on ECDHE and
not DHE on the client increases the rate of deployment of ECDHE on the
server, which in turn would affect how often optimistically offering
P-256 ECDHE in the ClientHello will likely work in TLS 1.3. That, plus
the security/interop issues cause by the lack of a parameter
negotiation mechanism, as well as poor performance, are the main
reasons why I'm opposed to making any TLS_DHE_* cipher suites
mandatory to implement and why I think nobody should encourage their
use.

Cheers,
Brian

Received on Sunday, 20 July 2014 04:26:32 UTC