Re: Proposed Statement on "HTTPS everywhere for the IETF"

ietf

Re: Proposed Statement on "HTTPS everywhere for the IETF"

2015-06-02 01:45:28

Hi,

Though the proposal relies on BCP195, I'm afraid there is a serious
contradiction between the following statements in BCP195:

   o  Ticket keys MUST be changed regularly, e.g., once every week, so
                                                   ^^^^^^^^^^^^^^^
      as not to negate the benefits of forward secrecy (see Section 6.3
      for details on forward secrecy).

and

   o  If exponents are reused for too long (e.g., even more than a few
                                                  ^^^^^^^^^^^^^^^^^^^^
      hours), an attacker who gains access to the host can decrypt
      ^^^^^
      previous connections.  In other words, exponent reuse negates the
      effects of forward secrecy.

that it must be revised to shorten the duration of the former
statement before being used for the real world security.

Also, it should be honest to state that HTTPS for IETF may be
useless against USG surveillance.

                                                        Masataka Ohta

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Proposed Statement on "HTTPS everywhere for the IETF", (continued) Re: Proposed Statement on "HTTPS everywhere for the IETF", Nico Williams Re: Proposed Statement on "HTTPS everywhere for the IETF", Roland Dobbins Where are the places that block encrypted traffic?, Sam Hartman Re: Where are the places that block encrypted traffic?, Patrik Fältström Re: Where are the places that block encrypted traffic?, Niels Dettenbach Re: Where are the places that block encrypted traffic?, Mark Andrews Re: Where are the places that block encrypted traffic?, Sam Hartman Re: Where are the places that block encrypted traffic?, Tim Bray Re: Where are the places that block encrypted traffic?, Warren Kumari Re: Proposed Statement on "HTTPS everywhere for the IETF", John Levine Re: Proposed Statement on "HTTPS everywhere for the IETF", Masataka Ohta <= Re: Proposed Statement on "HTTPS everywhere for the IETF", Joe Touch Re: Proposed Statement on "HTTPS everywhere for the IETF", Ted Lemon Re: Proposed Statement on "HTTPS everywhere for the IETF", Joe Touch Re: Proposed Statement on "HTTPS everywhere for the IETF", Ted Lemon Re: Proposed Statement on "HTTPS everywhere for the IETF", Joe Touch Re: Proposed Statement on "HTTPS everywhere for the IETF", Stewart Bryant Re: Proposed Statement on "HTTPS everywhere for the IETF", t.p. Re: Proposed Statement on "HTTPS everywhere for the IETF", Richard Barnes Re: Proposed Statement on "HTTPS everywhere for the IETF", Joe Touch Re: Proposed Statement on "HTTPS everywhere for the IETF", Richard Barnes

Previous by Date:	Re: Proposed Statement on "HTTPS everywhere for the IETF", Harald Alvestrand
Next by Date:	Re: Proposed Statement on "HTTPS everywhere for the IETF", Jari Arkko
Previous by Thread:	Re: Proposed Statement on "HTTPS everywhere for the IETF", John Levine
Next by Thread:	Re: Proposed Statement on "HTTPS everywhere for the IETF", Joe Touch
Indexes:	[Date] [Thread] [Top] [All Lists]