Re: tlsa for smtp to <at> bugs.debian.org
Ian Jackson <ijackson <at> chiark.greenend.org.uk> writes:
> > Curiously, the optional ephemeral Diffie-Hellman part of the TLS
> > protocol runs in plaintext, which means that it can be attacked
> > directly, without bothering to attack the RSA part. As a result, that
> I diagree. Forward secrecy is generally an important improvement.
Only if it provides secrecy.
If one of the communication partners (say, the client, because it’s
on a mobile) uses a guessable secret (say, due to lack of entropy),
the session is lost.
IMHO TLS should be changed to encrypt the DHE part (possibly with
an anon RSA key on the client side (which may be short- or medium-
lived) plus the server RSA key, *and* each party should send some
entropy to the other party before DHE kex happens (which the other
side may/should stir into their own RNG).
Of course, using a medium-lived RSA key for _that_ on the server
side (say, one regenerated every week) will provide additional
secrecy, as it can’t be forced out even by LEOs if it no longer
exists (has been properly purged after the week).
But looking at the sad state in SChannel… no chance.
Florian, what about switching to sign-only RSA server certs and
letting the server use ephemeral RSA encryption keypairs for the
actual session? Haven’t thought too long on that yet. (Probably
even slower, but then we’ve at least got an established slider
between fast and secure.)
//mirabilos, who wanted to write this up weeks ago and never
got around to do so