SSL – IETF drops RSA key from TLS 1.3
THE INTERNET ENGINEERING TASK FORCE (IETF) has dropped RSA code from TLS 1.3, the next version of SSL.
An email from the IETF had the subject line, “Confirming Consensus on removing RSA key Transport from TLS 1.3” and contained a short note.
The note said that discussions within the IETF working group found that Transport Layer Security (TLS) system have included RSA code for some time. It explained that over the years confidence in RSA has been shaken, adding that the consensus decision is to remove RSA code.
“TLS has had cipher suites based on RSA key transport (aka “static RSA”, TLS_RSA_WITH_*) since the days of SSL 2.0. These cipher suites have several drawbacks including lack of PFS, pre-master secret contributed only by the client, and the general weakening of RSA over time,” said the note.
“It would make the security analysis simpler to remove this option from TLS 1.3. RSA certificates would still be allowed, but the key establishment would be via DHE or ECDHE. The consensus in the room at IETF-89 was to remove RSA key transport from TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014.”
Responses were sent, and there was a suggestion that this was a bold move, however the last few messages on the mailing list drove the decision forward. The last note added, “The discussion on this list and others supports the consensus in IETF 89 to remove RSA key transport cipher suites from TLS 1.3. The Editor is requested to make the appropriate changes to the draft on Github.”
RSA’s standing in the security industry has been a little shaken recently. Edward Snowden’s revelations exposed that RSA was influenced by the US National Security Agency (NSA).
RSA has admitted to being somewhat burned by the relationship, and said that mistakes were made.
“We could have been more skeptical of NSA’s intentions,” RSA chief technologist Sam Curry told the Reuters news agency in early April. “We trusted them because they are charged with security for the US government and US critical infrastructure.”