[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] TLS 1.1 and static DH

To: lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx, tls@xxxxxxxx
Subject: Re: [TLS] TLS 1.1 and static DH
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 26 Oct 2006 05:40:47 +1300
Cc:
In-reply-to: <453F4C37.8090403@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

Dr Stephen Henson <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> writes:

>Finding test vectors for the parameter generation algorithm was also a
>problem. The only ones I saw were either compatible with the DSA algorithm or
>clearly broken. Various calls in public mailing lists giving details about
>why I thought the existing ones were wrong met with silence. I ended up
>concluding that if no one else was implementing it, why should I?

I think this confusion over X9.42 details is pretty much universal, there's
been the ongoing saga of the S/MIME test vectors where as soon as someone
published vectors, someone else pointed out that they were wrong for one
reason or another.  Given their history, it's quite possible that they still
have errors, but people gave up looking (actually looking at RFC 4134 I can't
see any DH vectors in there at all, so I guess they used the ostrich algorithm
to solve the problem :-).

A related problem is that the X9.42 spec was never really a going concern in
the first place, it more or less sleep-walked into becoming a standard after
years in the doldrums when the contributors lost interest in it.  As a result
there are implementations based on all sorts of buggy drafts out there, in
fact for most of the time when it was still being pushed all you could get
were buggy drafts.

So perhaps the best option for TLS is to deprecate the static DH suites.  They
seem to be pretty much entirely unsupported, and even if you did want to
support them you'd end up in a quagmire from which extrication would prove
difficult.

Peter.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] TLS 1.1 and static DH
  - From: Pasi.Eronen

References:
- Re: [TLS] TLS 1.1 and static DH
  - From: Dr Stephen Henson

Prev by Date: Re: [TLS] Open issue: Record Version Numbers
Next by Date: Re: [TLS] RFC 3456 - OCSP extension question
Previous by thread: Re: [TLS] TLS 1.1 and static DH
Next by thread: RE: [TLS] TLS 1.1 and static DH
Index(es):
- Date
- Thread