<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" docName="draft-ietf-tls-deprecate-obsolete-kex-08" category="std" consensus="true" submissionType="IETF" xml:lang="en" number="10015" updates="4162, 4279, 4346, 4785, 5246, 5288, 5289, 5469, 5487, 5932, 6209, 6347, 6367, 6655, 7905, 8422, 9325" tocInclude="true" sortRefs="true" symRefs="true" prepTime="2026-07-16T20:29:33" indexInclude="true" scripts="Common,Latin" tocDepth="3">
  <link href="https://dx.doi.org/10.17487/rfc10015" rel="alternate"/>
  <link href="urn:issn:2070-1721" rel="alternate"/>
  <link href="https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex-08" rel="prev"/>
  <front>
    <title abbrev="Deprecating Obsolete Key Exchanges in (D)TLS 1.2">Deprecating Obsolete Key Exchange Methods in TLS 1.2 and DTLS 1.2</title>
    <seriesInfo name="RFC" value="10015" stream="IETF"/>
    <author initials="N." surname="Aviram" fullname="Nimrod Aviram">
      <organization showOnFrontPage="true"/>
      <address>
        <email>nimrod.aviram@gmail.com</email>
      </address>
    </author>
    <date month="07" year="2026"/>
    <area>SEC</area>
    <workgroup>tls</workgroup>
    <keyword>RSA</keyword>
    <keyword>Diffie-Hellman</keyword>
    <keyword>DH</keyword>
    <keyword>DHE</keyword>
    <keyword>ECDH</keyword>
    <keyword>ECDHE</keyword>
    <abstract pn="section-abstract">
      <t indent="0" pn="section-abstract-1">For (D)TLS 1.2, this document deprecates the use of two key exchanges, namely Diffie-Hellman (DH) over
a finite field and RSA. It also discourages the use of static Elliptic Curve Diffie-Hellman (ECDH)
cipher suites.</t>
      <t indent="0" pn="section-abstract-2">These prescriptions apply only to (D)TLS 1.2, since (D)TLS 1.0 and TLS 1.1 are
deprecated by RFC 8996 and (D)TLS 1.3 either does not use the affected
algorithms or does not share the relevant configuration options.
(There is no DTLS version 1.1.)</t>
      <t indent="0" pn="section-abstract-3">This document updates RFCs 4162, 4279, 4346, 4785, 5246, 5288, 5289, 5469,
5487, 5932, 6209, 6347, 6367, 6655, 7905, 8422, and 9325 to either deprecate or
discourage the use of cipher suites using the above key exchange
methods in (D)TLS 1.2 connections.</t>
    </abstract>
    <boilerplate>
      <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
        <name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
        <t indent="0" pn="section-boilerplate.1-1">
            This is an Internet Standards Track document.
        </t>
        <t indent="0" pn="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of 
            RFC 7841.
        </t>
        <t indent="0" pn="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <eref target="https://www.rfc-editor.org/info/rfc10015" brackets="none"/>.
        </t>
      </section>
      <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
        <name slugifiedName="name-copyright-notice">Copyright Notice</name>
        <t indent="0" pn="section-boilerplate.2-1">
            Copyright (c) 2026 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        </t>
        <t indent="0" pn="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Revised BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Revised BSD License.
        </t>
      </section>
    </boilerplate>
    <toc>
      <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1">
        <name slugifiedName="name-table-of-contents">Table of Contents</name>
        <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1">
          <li pn="section-toc.1-1.1">
            <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.1.2">
              <li pn="section-toc.1-1.1.2.1">
                <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-requirements-language">Requirements Language</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.2">
            <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-non-ephemeral-diffie-hellma">Non-Ephemeral Diffie-Hellman</xref></t>
          </li>
          <li pn="section-toc.1-1.3">
            <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-ephemeral-finite-field-diff">Ephemeral Finite Field Diffie-Hellman</xref></t>
          </li>
          <li pn="section-toc.1-1.4">
            <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-rsa">RSA</xref></t>
          </li>
          <li pn="section-toc.1-1.5">
            <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-updates-to-cipher-suites-an">Updates to Cipher Suites and TLS ClientCertificateType Identifiers</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2">
              <li pn="section-toc.1-1.5.2.1">
                <t indent="0" pn="section-toc.1-1.5.2.1.1"><xref derivedContent="5.1" format="counter" sectionFormat="of" target="section-5.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-dh-cipher-suites-deprecated">DH Cipher Suites Deprecated by This Document</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.2">
                <t indent="0" pn="section-toc.1-1.5.2.2.1"><xref derivedContent="5.2" format="counter" sectionFormat="of" target="section-5.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-ecdh-cipher-suites-whose-us">ECDH Cipher Suites Whose Use Is Discouraged by This Document</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.3">
                <t indent="0" pn="section-toc.1-1.5.2.3.1"><xref derivedContent="5.3" format="counter" sectionFormat="of" target="section-5.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-dhe-cipher-suites-deprecate">DHE Cipher Suites Deprecated by This Document</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.4">
                <t indent="0" pn="section-toc.1-1.5.2.4.1"><xref derivedContent="5.4" format="counter" sectionFormat="of" target="section-5.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-rsa-cipher-suites-deprecate">RSA Cipher Suites Deprecated by This Document</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.5">
                <t indent="0" pn="section-toc.1-1.5.2.5.1"><xref derivedContent="5.5" format="counter" sectionFormat="of" target="section-5.5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-tls-clientcertificatetype-i">TLS ClientCertificateType Identifiers Deprecated by This Document</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.6">
            <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-updates-to-rfc-9325">Updates to RFC 9325</xref></t>
          </li>
          <li pn="section-toc.1-1.7">
            <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.8">
            <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.9">
            <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="9" format="counter" sectionFormat="of" target="section-9"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2">
              <li pn="section-toc.1-1.9.2.1">
                <t indent="0" pn="section-toc.1-1.9.2.1.1"><xref derivedContent="9.1" format="counter" sectionFormat="of" target="section-9.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t>
              </li>
              <li pn="section-toc.1-1.9.2.2">
                <t indent="0" pn="section-toc.1-1.9.2.2.1"><xref derivedContent="9.2" format="counter" sectionFormat="of" target="section-9.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.10">
            <t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgments</xref></t>
          </li>
          <li pn="section-toc.1-1.11">
            <t indent="0" pn="section-toc.1-1.11.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-address">Author's Address</xref></t>
          </li>
        </ul>
      </section>
    </toc>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" removeInRFC="false" toc="include" pn="section-1">
      <name slugifiedName="name-introduction">Introduction</name>
      <t indent="0" pn="section-1-1">(D)TLS 1.2 supports a variety of key exchange algorithms, including RSA, Diffie-Hellman (DH)
over a finite field, and Elliptic Curve Diffie-Hellman (ECDH).</t>
      <t indent="0" pn="section-1-2">DH key exchange, over any group, comes in ephemeral and non-ephemeral
varieties. Non-ephemeral DH algorithms use static DH public keys included in
the authenticating peer's certificate; see <xref target="RFC4492" format="default" sectionFormat="of" derivedContent="RFC4492"/> for discussion.  In
contrast, ephemeral DH algorithms use ephemeral DH public keys sent in the
handshake and authenticated by the peer's certificate.  Ephemeral and non-ephemeral finite field DH
algorithms are called DHE and DH (or FFDHE and FFDH), respectively,
and ephemeral and non-ephemeral elliptic curve DH algorithms are
called ECDHE and ECDH, respectively <xref target="RFC4492" format="default" sectionFormat="of" derivedContent="RFC4492"/>.</t>
      <t indent="0" pn="section-1-3">In general, non-ephemeral cipher suites are not recommended due to their lack of
forward secrecy. Moreover, as demonstrated by the Raccoon attack <xref target="RACCOON" format="default" sectionFormat="of" derivedContent="RACCOON"/> on finite field DH, public key reuse (either via non-ephemeral cipher suites or reused keys with
ephemeral cipher suites) can lead to timing side channels that may leak connection
secrets. For ECDH, invalid curve attacks similarly exploit secret
reuse in order to break security <xref target="ICA" format="default" sectionFormat="of" derivedContent="ICA"/>, further demonstrating the risk of reusing
public keys. While both side channels can be avoided in implementations, experience
shows that in practice, implementations may fail to thwart such attacks due to the
complexity and number of the required mitigations.</t>
      <t indent="0" pn="section-1-4">Additionally, RSA key exchange suffers from security problems that are independent
of implementation choices as well as problems that stem purely from the difficulty
of implementing security countermeasures correctly.</t>
      <t indent="0" pn="section-1-5">At a rough glance, the problems affecting FFDHE in (D)TLS 1.2 are as follows:</t>
      <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-1-6"><li pn="section-1-6.1" derivedCounter="1.">
          <t indent="0" pn="section-1-6.1.1">FFDHE suffers from interoperability problems because there is no mechanism for
negotiating the group, and some implementations only support small group sizes
(see <xref section="1" sectionFormat="comma" target="RFC7919" format="default" derivedLink="https://rfc-editor.org/rfc/rfc7919#section-1" derivedContent="RFC7919"/>).</t>
        </li>
        <li pn="section-1-6.2" derivedCounter="2.">
          <t indent="0" pn="section-1-6.2.1">FFDHE groups may have small subgroups, which enables several attacks
<xref target="SUBGROUPS" format="default" sectionFormat="of" derivedContent="SUBGROUPS"/>. When presented with a custom, non-standardized FFDHE group, a handshaking client cannot practically verify that the group chosen by the server does not suffer from this problem. There is also no mechanism for such handshakes to fall back to other key exchange parameters that are acceptable to the client.
Custom FFDHE groups are widespread (as a result of advice based on <xref target="WEAK-DH" format="default" sectionFormat="of" derivedContent="WEAK-DH"/>).
Therefore, clients cannot simply reject handshakes that present custom, and thus potentially dangerous, groups.</t>
        </li>
        <li pn="section-1-6.3" derivedCounter="3.">
          <t indent="0" pn="section-1-6.3.1">In practice, some operators use 1024-bit FFDHE groups since this is the
maximum size that ensures wide support (see <xref section="1" sectionFormat="comma" target="RFC7919" format="default" derivedLink="https://rfc-editor.org/rfc/rfc7919#section-1" derivedContent="RFC7919"/>).
This size leaves only a small security margin versus the current discrete log record,
which stands at 795 bits <xref target="DLOG795" format="default" sectionFormat="of" derivedContent="DLOG795"/>.</t>
        </li>
        <li pn="section-1-6.4" derivedCounter="4.">
          <t indent="0" pn="section-1-6.4.1">Expanding on the previous point, just a handful of very large computations allow
an attacker to cheaply decrypt a relatively large fraction of FFDHE traffic
(namely, traffic encrypted using particular standardized groups) <xref target="WEAK-DH" format="default" sectionFormat="of" derivedContent="WEAK-DH"/>.</t>
        </li>
        <li pn="section-1-6.5" derivedCounter="5.">
          <t indent="0" pn="section-1-6.5.1">When secrets are not fully ephemeral, FFDHE suffers from the Raccoon side-channel attack <xref target="RACCOON" format="default" sectionFormat="of" derivedContent="RACCOON"/>. (Note that FFDH is inherently vulnerable to the Raccoon attack
unless constant-time mitigations are employed.)</t>
        </li>
      </ol>
      <t indent="0" pn="section-1-7">The problems affecting RSA key exchange in (D)TLS 1.2 are as follows:</t>
      <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-1-8"><li pn="section-1-8.1" derivedCounter="1.">
          <t indent="0" pn="section-1-8.1.1">RSA key exchange offers no forward secrecy, by construction.</t>
        </li>
        <li pn="section-1-8.2" derivedCounter="2.">
          <t indent="0" pn="section-1-8.2.1">RSA key exchange may be vulnerable to Bleichenbacher's attack <xref target="BLEI" format="default" sectionFormat="of" derivedContent="BLEI"/>.
Experience shows that variants of this attack arise every few years because
implementing the relevant countermeasure correctly is difficult (see
<xref target="ROBOT" format="default" sectionFormat="of" derivedContent="ROBOT"/>, <xref target="NEW-BLEI" format="default" sectionFormat="of" derivedContent="NEW-BLEI"/>, and <xref target="DROWN" format="default" sectionFormat="of" derivedContent="DROWN"/>).</t>
        </li>
        <li pn="section-1-8.3" derivedCounter="3.">
          <t indent="0" pn="section-1-8.3.1">In addition to the above point, there is no convenient mechanism in (D)TLS 1.2 for
the domain separation of keys. Therefore, a single endpoint that is vulnerable to
Bleichenbacher's attack would affect all endpoints sharing the same RSA key (see
<xref target="XPROT" format="default" sectionFormat="of" derivedContent="XPROT"/> and <xref target="DROWN" format="default" sectionFormat="of" derivedContent="DROWN"/>).</t>
        </li>
      </ol>
      <t indent="0" pn="section-1-9">This document updates 
<xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/>, <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/>, <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/>, <xref target="RFC4785" format="default" sectionFormat="of" derivedContent="RFC4785"/>, <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/>, <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/>, <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/>, <xref target="RFC5469" format="default" sectionFormat="of" derivedContent="RFC5469"/>, <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/>, <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/>, <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/>, <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/>, <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/>, <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/>, <xref target="RFC7905" format="default" sectionFormat="of" derivedContent="RFC7905"/>, <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/>, and <xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/> to remediate the above problems, by deprecating and discouraging the use of affected cipher suites, as listed in Sections <xref target="ecdhcs" format="counter" sectionFormat="of" derivedContent="5.2"/>, <xref target="dhecs" format="counter" sectionFormat="of" derivedContent="5.3"/>, <xref target="rsacs" format="counter" sectionFormat="of" derivedContent="5.4"/>, and <xref target="cert" format="counter" sectionFormat="of" derivedContent="5.5"/>.</t>
      <t indent="0" pn="section-1-10">BCP 195 <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/> <xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/> contains the latest IETF recommendations for users of the (D)TLS protocol (and specifically, (D)TLS 1.2), and this
document updates <xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/> in several points. <xref target="update-9325" format="default" sectionFormat="of" derivedContent="Section 6"/> details the exact differences.
All other recommendations in the BCP documents remain valid.</t>
      <section anchor="requirements-language" numbered="true" removeInRFC="false" toc="include" pn="section-1.1">
        <name slugifiedName="name-requirements-language">Requirements Language</name>
        <t indent="0" pn="section-1.1-1">
    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
    "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be
    interpreted as described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals, as
    shown here.
        </t>
      </section>
    </section>
    <section anchor="non-ephemeral" numbered="true" removeInRFC="false" toc="include" pn="section-2">
      <name slugifiedName="name-non-ephemeral-diffie-hellma">Non-Ephemeral Diffie-Hellman</name>
      <t indent="0" pn="section-2-1">Clients <bcp14>MUST NOT</bcp14> offer and servers <bcp14>MUST NOT</bcp14> select non-ephemeral FFDH cipher suites in (D)TLS 1.2 connections.
(Note that (D)TLS 1.0 and TLS 1.1 are deprecated by <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/>, and (D)TLS 1.3 does not
support FFDH <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="RFC9846"/> <xref target="RFC9147" format="default" sectionFormat="of" derivedContent="RFC9147"/>.) This includes all cipher suites listed in <xref target="deprecated-cs" format="default" sectionFormat="of" derivedContent="Table 1"/> in
<xref target="dhcs" format="default" sectionFormat="of" derivedContent="Section 5.1"/>.</t>
      <t indent="0" pn="section-2-2">Clients <bcp14>SHOULD NOT</bcp14> offer and servers <bcp14>SHOULD NOT</bcp14> select non-ephemeral ECDH cipher suites in (D)TLS 1.2 connections. (This requirement is already present in <xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/>.
Note that (D)TLS 1.0 and TLS 1.1 are deprecated by <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/>, and
(D)TLS 1.3 does not support ECDH <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="RFC9846"/> <xref target="RFC9147" format="default" sectionFormat="of" derivedContent="RFC9147"/>.) This includes all cipher suites listed
in <xref target="discouraged-cs" format="default" sectionFormat="of" derivedContent="Table 2"/> in <xref target="ecdhcs" format="default" sectionFormat="of" derivedContent="Section 5.2"/>.</t>
      <t indent="0" pn="section-2-3">In addition, to avoid the use of non-ephemeral DH, clients <bcp14>SHOULD NOT</bcp14> use and servers <bcp14>SHOULD NOT</bcp14> accept certificates with fixed DH parameters. These certificate types are rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh as listed in <xref target="cert" format="default" sectionFormat="of" derivedContent="Section 5.5"/>. These values only apply to (D)TLS versions of 1.2 and below.</t>
    </section>
    <section anchor="dhe" numbered="true" removeInRFC="false" toc="include" pn="section-3">
      <name slugifiedName="name-ephemeral-finite-field-diff">Ephemeral Finite Field Diffie-Hellman</name>
      <t indent="0" pn="section-3-1">Clients <bcp14>MUST NOT</bcp14> offer and servers <bcp14>MUST NOT</bcp14> select FFDHE cipher suites in (D)TLS 1.2 connections.
This includes all cipher suites listed in <xref target="deprecated-dhe-cs" format="default" sectionFormat="of" derivedContent="Table 3"/> in <xref target="dhecs" format="default" sectionFormat="of" derivedContent="Section 5.3"/>.
(Note that (D)TLS 1.0 and TLS 1.1 are deprecated by <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/>.) FFDHE cipher suites in (D)TLS 1.3 do not suffer from the problems presented in <xref target="introduction" format="default" sectionFormat="of" derivedContent="Section 1"/>; see <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="RFC9846"/> and <xref target="RFC9147" format="default" sectionFormat="of" derivedContent="RFC9147"/>. Therefore, clients and servers <bcp14>MAY</bcp14> offer FFDHE cipher suites in (D)TLS 1.3 connections.</t>
    </section>
    <section anchor="rsa" numbered="true" removeInRFC="false" toc="include" pn="section-4">
      <name slugifiedName="name-rsa">RSA</name>
      <t indent="0" pn="section-4-1">Clients <bcp14>MUST NOT</bcp14> offer and servers <bcp14>MUST NOT</bcp14> select RSA cipher suites in (D)TLS 1.2
connections. (Note that (D)TLS 1.0 and TLS 1.1 are deprecated by <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/>, and (D)TLS
1.3 does not support static RSA <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="RFC9846"/> <xref target="RFC9147" format="default" sectionFormat="of" derivedContent="RFC9147"/>.) This includes all cipher suites
listed in <xref target="deprecated-rha-cs" format="default" sectionFormat="of" derivedContent="Table 4"/> in <xref target="rsacs" format="default" sectionFormat="of" derivedContent="Section 5.4"/>. Note that these cipher suites were previously
marked as not recommended in the "TLS Cipher Suites" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>.</t>
    </section>
    <section anchor="updates-to-cipher-suites-and-tls-clientcertificatetype-identifiers" numbered="true" removeInRFC="false" toc="include" pn="section-5">
      <name slugifiedName="name-updates-to-cipher-suites-an">Updates to Cipher Suites and TLS ClientCertificateType Identifiers</name>
      <t indent="0" pn="section-5-1">The following subsections mention the use of "D" in the "Recommended" column of the "TLS Cipher Suites" and "TLS ClientCertificateType Identifiers" registries <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>. See <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/> for information on the use of the "D".</t>
      <section anchor="dhcs" numbered="true" removeInRFC="false" toc="include" pn="section-5.1">
        <name slugifiedName="name-dh-cipher-suites-deprecated">DH Cipher Suites Deprecated by This Document</name>
        <t indent="0" pn="section-5.1-1">IANA has set the "Recommended" column to "D" and added this document as a reference for the following entries in the "TLS Cipher Suites" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>:</t>
        <table anchor="deprecated-cs" align="center" pn="table-1">
          <thead>
            <tr>
              <th align="left" colspan="1" rowspan="1">Cipher Suite</th>
              <th align="left" colspan="1" rowspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_DES_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_DES_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_EXPORT_WITH_RC4_40_MD5</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_RC4_128_MD5</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_DES_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_AES_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_AES_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_AES_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_SEED_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_SEED_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_SEED_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="ecdhcs" numbered="true" removeInRFC="false" toc="include" pn="section-5.2">
        <name slugifiedName="name-ecdh-cipher-suites-whose-us">ECDH Cipher Suites Whose Use Is Discouraged by This Document</name>
        <t indent="0" pn="section-5.2-1"><xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/> specifies that implementations <bcp14>SHOULD NOT</bcp14> negotiate the following cipher suites; accordingly, they appeared with "N" in the "Recommended" column in the IANA "TLS Cipher Suites" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>. Per this document, IANA has updated them to have "D" in the "Recommended" column to align with <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/> (and added this document as a reference for each). This document also records the rationale for discouraging use of these cipher suites, and it cites prior analyses and attacks that demonstrate the associated risks (see <xref target="sec-considerations" format="default" sectionFormat="of" derivedContent="Section 8"/>).</t>
        <table anchor="discouraged-cs" align="center" pn="table-2">
          <thead>
            <tr>
              <th align="left" colspan="1" rowspan="1">Cipher Suite</th>
              <th align="left" colspan="1" rowspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_NULL_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_anon_WITH_NULL_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_anon_WITH_RC4_128_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5289" format="default" sectionFormat="of" derivedContent="RFC5289"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="dhecs" numbered="true" removeInRFC="false" toc="include" pn="section-5.3">
        <name slugifiedName="name-dhe-cipher-suites-deprecate">DHE Cipher Suites Deprecated by This Document</name>
        <t indent="0" pn="section-5.3-1">IANA has set the "Recommended" column to "D" and added this document as a reference for the following entries in the "TLS Cipher Suites" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>:</t>
        <table anchor="deprecated-dhe-cs" align="center" pn="table-3">
          <thead>
            <tr>
              <th align="left" colspan="1" rowspan="1">Cipher Suite</th>
              <th align="left" colspan="1" rowspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_DES_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_DES_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_NULL_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4785" format="default" sectionFormat="of" derivedContent="RFC4785"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_RC4_128_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_SEED_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_SEED_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_NULL_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_NULL_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_128_CCM</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_256_CCM</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_128_CCM_8</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_AES_256_CCM_8</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_128_CCM</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_AES_256_CCM</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC7905" format="default" sectionFormat="of" derivedContent="RFC7905"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC7905" format="default" sectionFormat="of" derivedContent="RFC7905"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_PSK_DHE_WITH_AES_128_CCM_8</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_PSK_DHE_WITH_AES_256_CCM_8</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="rsacs" numbered="true" removeInRFC="false" toc="include" pn="section-5.4">
        <name slugifiedName="name-rsa-cipher-suites-deprecate">RSA Cipher Suites Deprecated by This Document</name>
        <t indent="0" pn="section-5.4-1">IANA has set the "Recommended" column to "D" and added this document as a reference for the following entries in the "TLS Cipher Suites" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>:</t>
        <table anchor="deprecated-rha-cs" align="center" pn="table-4">
          <thead>
            <tr>
              <th align="left" colspan="1" rowspan="1">Cipher Suite</th>
              <th align="left" colspan="1" rowspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_NULL_MD5</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_NULL_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_EXPORT_WITH_RC4_40_MD5</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_RC4_128_MD5</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_RC4_128_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_IDEA_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_EXPORT_WITH_DES40_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4346" format="default" sectionFormat="of" derivedContent="RFC4346"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_DES_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_NULL_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4785" format="default" sectionFormat="of" derivedContent="RFC4785"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_NULL_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_RC4_128_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/> <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_AES_128_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_AES_256_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4279" format="default" sectionFormat="of" derivedContent="RFC4279"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_SEED_CBC_SHA</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC4162" format="default" sectionFormat="of" derivedContent="RFC4162"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5288" format="default" sectionFormat="of" derivedContent="RFC5288"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_AES_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_AES_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_AES_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_AES_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_NULL_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_NULL_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5487" format="default" sectionFormat="of" derivedContent="RFC5487"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5932" format="default" sectionFormat="of" derivedContent="RFC5932"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6209" format="default" sectionFormat="of" derivedContent="RFC6209"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6367" format="default" sectionFormat="of" derivedContent="RFC6367"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_128_CCM</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_256_CCM</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_128_CCM_8</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_WITH_AES_256_CCM_8</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC6655" format="default" sectionFormat="of" derivedContent="RFC6655"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC7905" format="default" sectionFormat="of" derivedContent="RFC7905"/></td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="cert" numbered="true" removeInRFC="false" toc="include" pn="section-5.5">
        <name slugifiedName="name-tls-clientcertificatetype-i">TLS ClientCertificateType Identifiers Deprecated by This Document</name>
        <t indent="0" pn="section-5.5-1">IANA has set the "Recommended" column to "D" and added this document as a reference for the following entries in the "TLS ClientCertificateType Identifiers" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>:</t>
        <table align="center" pn="table-5">
          <thead>
            <tr>
              <th align="left" colspan="1" rowspan="1">Certificate Type</th>
              <th align="left" colspan="1" rowspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left" colspan="1" rowspan="1">rsa_fixed_dh (3)</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/> <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">dss_fixed_dh (4)</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="RFC5246"/> <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">rsa_fixed_ecdh (65)</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/> <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/></td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">ecdsa_fixed_ecdh (66)</td>
              <td align="left" colspan="1" rowspan="1">
                <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/> <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/></td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="update-9325" numbered="true" removeInRFC="false" toc="include" pn="section-6">
      <name slugifiedName="name-updates-to-rfc-9325">Updates to RFC 9325</name>
      <t indent="0" pn="section-6-1">This document updates <xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/> with respect to the use of (D)TLS 1.2, and <xref target="rfc9325-updates" format="default" sectionFormat="of" derivedContent="Table 6"/>
lists the exact changes. All of these changes are made in <xref section="4.1" sectionFormat="of" target="RFC9325" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9325#section-4.1" derivedContent="RFC9325"/>.</t>
      <table anchor="rfc9325-updates" align="center" pn="table-6">
        <thead>
          <tr>
            <th align="left" colspan="1" rowspan="1"/>
            <th align="left" colspan="1" rowspan="1">RFC 9325</th>
            <th align="right" colspan="1" rowspan="1">RFC 10015</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left" colspan="1" rowspan="1">Non-ephemeral FFDH</td>
            <td align="left" colspan="1" rowspan="1">
              <bcp14>SHOULD NOT</bcp14></td>
            <td align="right" colspan="1" rowspan="1">
              <bcp14>MUST NOT</bcp14></td>
          </tr>
          <tr>
            <td align="left" colspan="1" rowspan="1">Non-ephemeral ECDH</td>
            <td align="left" colspan="1" rowspan="1">
              <bcp14>SHOULD NOT</bcp14></td>
            <td align="right" colspan="1" rowspan="1">No change</td>
          </tr>
          <tr>
            <td align="left" colspan="1" rowspan="1">Fixed DH certificate types</td>
            <td align="left" colspan="1" rowspan="1">Unspecified</td>
            <td align="right" colspan="1" rowspan="1">
              <bcp14>SHOULD NOT</bcp14></td>
          </tr>
          <tr>
            <td align="left" colspan="1" rowspan="1">Ephemeral FFDH</td>
            <td align="left" colspan="1" rowspan="1">
              <bcp14>SHOULD NOT</bcp14></td>
            <td align="right" colspan="1" rowspan="1">
              <bcp14>MUST NOT</bcp14></td>
          </tr>
          <tr>
            <td align="left" colspan="1" rowspan="1">Static RSA</td>
            <td align="left" colspan="1" rowspan="1">
              <bcp14>SHOULD NOT</bcp14></td>
            <td align="right" colspan="1" rowspan="1">
              <bcp14>MUST NOT</bcp14></td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="iana-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-7">
      <name slugifiedName="name-iana-considerations">IANA Considerations</name>
      <t indent="0" pn="section-7-1">The "TLS Cipher Suites" and "TLS ClientCertificateType Identifiers" registries both appear within the "Transport Layer Security (TLS) Parameters" registry group <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/>. IANA has updated entries in the "TLS Cipher Suites" registry <xref target="TLS-REGISTRY" format="default" sectionFormat="of" derivedContent="TLS-REGISTRY"/> as indicated in Sections <xref target="dhcs" format="counter" sectionFormat="of" derivedContent="5.1"/>, <xref target="ecdhcs" format="counter" sectionFormat="of" derivedContent="5.2"/>, <xref target="dhecs" format="counter" sectionFormat="of" derivedContent="5.3"/>, and <xref target="rsacs" format="counter" sectionFormat="of" derivedContent="5.4"/>. IANA has also updated entries in the "TLS ClientCertificateType Identifiers" registry as indicated in <xref target="cert" format="default" sectionFormat="of" derivedContent="Section 5.5"/>.</t>
      <t indent="0" pn="section-7-2">For each entry listed in Sections <xref target="dhcs" format="counter" sectionFormat="of" derivedContent="5.1"/>, <xref target="ecdhcs" format="counter" sectionFormat="of" derivedContent="5.2"/>, <xref target="dhecs" format="counter" sectionFormat="of" derivedContent="5.3"/>, <xref target="rsacs" format="counter" sectionFormat="of" derivedContent="5.4"/>, and <xref target="cert" format="counter" sectionFormat="of" derivedContent="5.5"/>,
IANA has set the "Recommended" column to "D" and updated the entry's Reference column to refer to this document. For information about the use of "D" in the "Recommended" column, see <xref target="RFC9847" format="default" sectionFormat="of" derivedContent="RFC9847"/>.</t>
    </section>
    <section anchor="sec-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-8">
      <name slugifiedName="name-security-considerations">Security Considerations</name>
      <t indent="0" pn="section-8-1">Non-ephemeral finite field DH cipher suites (TLS_DH_*), as well as ephemeral key reuse
for finite field DH cipher suites, are prohibited due to the Raccoon attack <xref target="RACCOON" format="default" sectionFormat="of" derivedContent="RACCOON"/>. Both are
already considered bad practice since they do not provide forward secrecy. However,
the Raccoon attack revealed that timing side channels in processing TLS premaster secrets may be
exploited to reveal the encrypted premaster secret.</t>
      <t indent="0" pn="section-8-2">As for non-ephemeral ECDH cipher suites (TLS_ECDH_*), forgoing forward secrecy
not only allows retroactive decryption in the event of key compromise but may
also enable a broad category of attacks where the attacker exploits key reuse
to repeatedly query a cryptographic secret.</t>
      <t indent="0" pn="section-8-3">This category includes, but is not necessarily limited to, the following
examples:</t>
      <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-8-4"><li pn="section-8-4.1" derivedCounter="1.">
          <t indent="0" pn="section-8-4.1.1">Invalid curve attacks, where the attacker exploits key reuse to repeatedly
query and eventually learn the key itself. These attacks have been shown to be
practical against real-world TLS implementations <xref target="ICA" format="default" sectionFormat="of" derivedContent="ICA"/>.</t>
        </li>
        <li pn="section-8-4.2" derivedCounter="2.">
          <t indent="0" pn="section-8-4.2.1">Side-channel attacks, where the attacker exploits key reuse and an additional
side channel to learn a cryptographic secret. For an example of such an attack,
refer to <xref target="MAY4" format="default" sectionFormat="of" derivedContent="MAY4"/>.</t>
        </li>
        <li pn="section-8-4.3" derivedCounter="3.">
          <t indent="0" pn="section-8-4.3.1">Fault attacks, where the attacker exploits key reuse and incorrect
calculations to learn a cryptographic secret. For an example of such an attack,
see <xref target="PARIS256" format="default" sectionFormat="of" derivedContent="PARIS256"/>.</t>
        </li>
      </ol>
      <t indent="0" pn="section-8-5">Such attacks are often implementation-dependent, including the above examples.
However, these examples demonstrate that building a system that reuses keys and
avoids this category of attacks is difficult in practice. In contrast, avoiding
key reuse not only prevents decryption in the event of key compromise, but it also
precludes this category of attacks altogether. Therefore, this document
discourages the reuse of ECDH public keys.</t>
      <t indent="0" pn="section-8-6">As for ephemeral finite field DH in (D)TLS 1.2 (TLS_DHE_* and TLS_PSK_DHE_*), as explained above, clients have no practical way to support these cipher suites while ensuring they only negotiate security parameters that are acceptable to them. In (D)TLS 1.2, the server chooses the DH group, and custom groups are prevalent. Therefore, once the client includes these cipher suites in its handshake and the server presents a custom group, the client cannot complete the handshake while ensuring security. Verifying the group structure is prohibitively expensive for the client. Using a safelist of known-good groups is also impractical, since server operators were encouraged to generate their own custom group. Further, there is no mechanism for the handshake to fall back to other parameters that are acceptable to both the client and server.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references" pn="section-9">
      <name slugifiedName="name-references">References</name>
      <references anchor="sec-normative-references" pn="section-9.1">
        <name slugifiedName="name-normative-references">Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC4162" target="https://www.rfc-editor.org/info/rfc4162" quoteTitle="true" derivedAnchor="RFC4162">
          <front>
            <title>Addition of SEED Cipher Suites to Transport Layer Security (TLS)</title>
            <author fullname="H.J. Lee" initials="H.J." surname="Lee"/>
            <author fullname="J.H. Yoon" initials="J.H." surname="Yoon"/>
            <author fullname="J.I. Lee" initials="J.I." surname="Lee"/>
            <date month="September" year="2005"/>
            <abstract>
              <t indent="0">This document proposes the addition of new cipher suites to the Transport Layer Security (TLS) protocol to support the SEED encryption algorithm as a bulk cipher algorithm. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4162"/>
          <seriesInfo name="DOI" value="10.17487/RFC4162"/>
        </reference>
        <reference anchor="RFC4279" target="https://www.rfc-editor.org/info/rfc4279" quoteTitle="true" derivedAnchor="RFC4279">
          <front>
            <title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</title>
            <author fullname="P. Eronen" initials="P." role="editor" surname="Eronen"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <date month="December" year="2005"/>
            <abstract>
              <t indent="0">This document specifies three sets of new ciphersuites for the Transport Layer Security (TLS) protocol to support authentication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance among the communicating parties. The first set of ciphersuites uses only symmetric key operations for authentication. The second set uses a Diffie-Hellman exchange authenticated with a pre-shared key, and the third set combines public key authentication of the server with pre-shared key authentication of the client. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4279"/>
          <seriesInfo name="DOI" value="10.17487/RFC4279"/>
        </reference>
        <reference anchor="RFC4346" target="https://www.rfc-editor.org/info/rfc4346" quoteTitle="true" derivedAnchor="RFC4346">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.1</title>
            <author fullname="T. Dierks" initials="T." surname="Dierks"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="April" year="2006"/>
            <abstract>
              <t indent="0">This document specifies Version 1.1 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4346"/>
          <seriesInfo name="DOI" value="10.17487/RFC4346"/>
        </reference>
        <reference anchor="RFC4785" target="https://www.rfc-editor.org/info/rfc4785" quoteTitle="true" derivedAnchor="RFC4785">
          <front>
            <title>Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)</title>
            <author fullname="U. Blumenthal" initials="U." surname="Blumenthal"/>
            <author fullname="P. Goel" initials="P." surname="Goel"/>
            <date month="January" year="2007"/>
            <abstract>
              <t indent="0">This document specifies authentication-only ciphersuites (with no encryption) for the Pre-Shared Key (PSK) based Transport Layer Security (TLS) protocol. These ciphersuites are useful when authentication and integrity protection is desired, but confidentiality is not needed or not permitted. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4785"/>
          <seriesInfo name="DOI" value="10.17487/RFC4785"/>
        </reference>
        <reference anchor="RFC5246" target="https://www.rfc-editor.org/info/rfc5246" quoteTitle="true" derivedAnchor="RFC5246">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
            <author fullname="T. Dierks" initials="T." surname="Dierks"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2008"/>
            <abstract>
              <t indent="0">This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5246"/>
          <seriesInfo name="DOI" value="10.17487/RFC5246"/>
        </reference>
        <reference anchor="RFC5288" target="https://www.rfc-editor.org/info/rfc5288" quoteTitle="true" derivedAnchor="RFC5288">
          <front>
            <title>AES Galois Counter Mode (GCM) Cipher Suites for TLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="A. Choudhury" initials="A." surname="Choudhury"/>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="August" year="2008"/>
            <abstract>
              <t indent="0">This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenticated encryption operation. GCM provides both confidentiality and data origin authentication, can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations. This memo defines TLS cipher suites that use AES-GCM with RSA, DSA, and Diffie-Hellman-based key exchange mechanisms. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5288"/>
          <seriesInfo name="DOI" value="10.17487/RFC5288"/>
        </reference>
        <reference anchor="RFC5289" target="https://www.rfc-editor.org/info/rfc5289" quoteTitle="true" derivedAnchor="RFC5289">
          <front>
            <title>TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2008"/>
            <abstract>
              <t indent="0">RFC 4492 describes elliptic curve cipher suites for Transport Layer Security (TLS). However, all those cipher suites use HMAC-SHA-1 as their Message Authentication Code (MAC) algorithm. This document describes sixteen new cipher suites for TLS that specify stronger MAC algorithms. Eight use Hashed Message Authentication Code (HMAC) with SHA-256 or SHA-384, and eight use AES in Galois Counter Mode (GCM). This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5289"/>
          <seriesInfo name="DOI" value="10.17487/RFC5289"/>
        </reference>
        <reference anchor="RFC5469" target="https://www.rfc-editor.org/info/rfc5469" quoteTitle="true" derivedAnchor="RFC5469">
          <front>
            <title>DES and IDEA Cipher Suites for Transport Layer Security (TLS)</title>
            <author fullname="P. Eronen" initials="P." role="editor" surname="Eronen"/>
            <date month="February" year="2009"/>
            <abstract>
              <t indent="0">Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES (when used in single-DES mode) and IDEA are no longer recommended for general use in TLS, and have been removed from TLS version 1.2 (RFC 5246). This document specifies these cipher suites for completeness and discusses reasons why their use is no longer recommended. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5469"/>
          <seriesInfo name="DOI" value="10.17487/RFC5469"/>
        </reference>
        <reference anchor="RFC5487" target="https://www.rfc-editor.org/info/rfc5487" quoteTitle="true" derivedAnchor="RFC5487">
          <front>
            <title>Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode</title>
            <author fullname="M. Badra" initials="M." surname="Badra"/>
            <date month="March" year="2009"/>
            <abstract>
              <t indent="0">RFC 4279 and RFC 4785 describe pre-shared key cipher suites for Transport Layer Security (TLS). However, all those cipher suites use SHA-1 in their Message Authentication Code (MAC) algorithm. This document describes a set of pre-shared key cipher suites for TLS that uses stronger digest algorithms (i.e., SHA-256 or SHA-384) and another set that uses the Advanced Encryption Standard (AES) in Galois Counter Mode (GCM). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5487"/>
          <seriesInfo name="DOI" value="10.17487/RFC5487"/>
        </reference>
        <reference anchor="RFC5932" target="https://www.rfc-editor.org/info/rfc5932" quoteTitle="true" derivedAnchor="RFC5932">
          <front>
            <title>Camellia Cipher Suites for TLS</title>
            <author fullname="A. Kato" initials="A." surname="Kato"/>
            <author fullname="M. Kanda" initials="M." surname="Kanda"/>
            <author fullname="S. Kanno" initials="S." surname="Kanno"/>
            <date month="June" year="2010"/>
            <abstract>
              <t indent="0">This document specifies a set of cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. It amends the cipher suites originally specified in RFC 4132 by introducing counterparts using the newer cryptographic hash algorithms from the SHA-2 family. This document obsoletes RFC 4132. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5932"/>
          <seriesInfo name="DOI" value="10.17487/RFC5932"/>
        </reference>
        <reference anchor="RFC6209" target="https://www.rfc-editor.org/info/rfc6209" quoteTitle="true" derivedAnchor="RFC6209">
          <front>
            <title>Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)</title>
            <author fullname="W. Kim" initials="W." surname="Kim"/>
            <author fullname="J. Lee" initials="J." surname="Lee"/>
            <author fullname="J. Park" initials="J." surname="Park"/>
            <author fullname="D. Kwon" initials="D." surname="Kwon"/>
            <date month="April" year="2011"/>
            <abstract>
              <t indent="0">This document specifies a set of cipher suites for the Transport Layer Security (TLS) protocol to support the ARIA encryption algorithm as a block cipher. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6209"/>
          <seriesInfo name="DOI" value="10.17487/RFC6209"/>
        </reference>
        <reference anchor="RFC6347" target="https://www.rfc-editor.org/info/rfc6347" quoteTitle="true" derivedAnchor="RFC6347">
          <front>
            <title>Datagram Transport Layer Security Version 1.2</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="January" year="2012"/>
            <abstract>
              <t indent="0">This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6347"/>
          <seriesInfo name="DOI" value="10.17487/RFC6347"/>
        </reference>
        <reference anchor="RFC6367" target="https://www.rfc-editor.org/info/rfc6367" quoteTitle="true" derivedAnchor="RFC6367">
          <front>
            <title>Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)</title>
            <author fullname="S. Kanno" initials="S." surname="Kanno"/>
            <author fullname="M. Kanda" initials="M." surname="Kanda"/>
            <date month="September" year="2011"/>
            <abstract>
              <t indent="0">This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6367"/>
          <seriesInfo name="DOI" value="10.17487/RFC6367"/>
        </reference>
        <reference anchor="RFC6655" target="https://www.rfc-editor.org/info/rfc6655" quoteTitle="true" derivedAnchor="RFC6655">
          <front>
            <title>AES-CCM Cipher Suites for Transport Layer Security (TLS)</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="D. Bailey" initials="D." surname="Bailey"/>
            <date month="July" year="2012"/>
            <abstract>
              <t indent="0">This memo describes the use of the Advanced Encryption Standard (AES) in the Counter with Cipher Block Chaining - Message Authentication Code (CBC-MAC) Mode (CCM) of operation within Transport Layer Security (TLS) and Datagram TLS (DTLS) to provide confidentiality and data origin authentication. The AES-CCM algorithm is amenable to compact implementations, making it suitable for constrained environments. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6655"/>
          <seriesInfo name="DOI" value="10.17487/RFC6655"/>
        </reference>
        <reference anchor="RFC7905" target="https://www.rfc-editor.org/info/rfc7905" quoteTitle="true" derivedAnchor="RFC7905">
          <front>
            <title>ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)</title>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="W. Chang" initials="W." surname="Chang"/>
            <author fullname="N. Mavrogiannopoulos" initials="N." surname="Mavrogiannopoulos"/>
            <author fullname="J. Strombergson" initials="J." surname="Strombergson"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="June" year="2016"/>
            <abstract>
              <t indent="0">This document describes the use of the ChaCha stream cipher and Poly1305 authenticator in the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols.</t>
              <t indent="0">This document updates RFCs 5246 and 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7905"/>
          <seriesInfo name="DOI" value="10.17487/RFC7905"/>
        </reference>
        <reference anchor="RFC7919" target="https://www.rfc-editor.org/info/rfc7919" quoteTitle="true" derivedAnchor="RFC7919">
          <front>
            <title>Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)</title>
            <author fullname="D. Gillmor" initials="D." surname="Gillmor"/>
            <date month="August" year="2016"/>
            <abstract>
              <t indent="0">Traditional finite-field-based Diffie-Hellman (DH) key exchange during the Transport Layer Security (TLS) handshake suffers from a number of security, interoperability, and efficiency shortcomings. These shortcomings arise from lack of clarity about which DH group parameters TLS servers should offer and clients should accept. This document offers a solution to these shortcomings for compatible peers by using a section of the TLS "Supported Groups Registry" (renamed from "EC Named Curve Registry" by this document) to establish common finite field DH parameters with known structure and a mechanism for peers to negotiate support for these groups.</t>
              <t indent="0">This document updates TLS versions 1.0 (RFC 2246), 1.1 (RFC 4346), and 1.2 (RFC 5246), as well as the TLS Elliptic Curve Cryptography (ECC) extensions (RFC 4492).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7919"/>
          <seriesInfo name="DOI" value="10.17487/RFC7919"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8422" target="https://www.rfc-editor.org/info/rfc8422" quoteTitle="true" derivedAnchor="RFC8422">
          <front>
            <title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="M. Pegourie-Gonnard" initials="M." surname="Pegourie-Gonnard"/>
            <date month="August" year="2018"/>
            <abstract>
              <t indent="0">This document describes key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol. In particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) as authentication mechanisms.</t>
              <t indent="0">This document obsoletes RFC 4492.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8422"/>
          <seriesInfo name="DOI" value="10.17487/RFC8422"/>
        </reference>
        <reference anchor="RFC8996" target="https://www.rfc-editor.org/info/rfc8996" quoteTitle="true" derivedAnchor="RFC8996">
          <front>
            <title>Deprecating TLS 1.0 and TLS 1.1</title>
            <author fullname="K. Moriarty" initials="K." surname="Moriarty"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <date month="March" year="2021"/>
            <abstract>
              <t indent="0">This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.</t>
              <t indent="0">This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.</t>
              <t indent="0">This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="8996"/>
          <seriesInfo name="DOI" value="10.17487/RFC8996"/>
        </reference>
        <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" quoteTitle="true" derivedAnchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t indent="0">This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t indent="0">The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t indent="0">This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9325" target="https://www.rfc-editor.org/info/rfc9325" quoteTitle="true" derivedAnchor="RFC9325">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="November" year="2022"/>
            <abstract>
              <t indent="0">Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases.</t>
              <t indent="0">RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="9325"/>
          <seriesInfo name="DOI" value="10.17487/RFC9325"/>
        </reference>
        <reference anchor="RFC9846" target="https://www.rfc-editor.org/info/rfc9846" quoteTitle="true" derivedAnchor="RFC9846">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="July" year="2026"/>
            <abstract>
              <t indent="0">This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t indent="0">This document obsoletes RFC 8446, which specified TLS 1.3. This document obsoletes RFC 5246 (specifying TLS 1.2) and RFCs 5077, 6961, 7627, and 8422, all of which pertain to TLS 1.2 or earlier, and updates RFCs 5705 and 6066. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9846"/>
          <seriesInfo name="DOI" value="10.17487/RFC9846"/>
        </reference>
        <reference anchor="RFC9847" target="https://www.rfc-editor.org/info/rfc9847" quoteTitle="true" derivedAnchor="RFC9847">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="December" year="2025"/>
            <abstract>
              <t indent="0">This document updates the changes to the TLS and DTLS IANA registries made in RFC 8447. It adds a new value, "D" for discouraged, to the "Recommended" column of the selected TLS registries and adds a "Comment" column to all active registries that do not already have a "Comment" column. Finally, it updates the registration request instructions.</t>
              <t indent="0">This document updates RFC 8447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9847"/>
          <seriesInfo name="DOI" value="10.17487/RFC9847"/>
        </reference>
      </references>
      <references anchor="sec-informative-references" pn="section-9.2">
        <name slugifiedName="name-informative-references">Informative References</name>
        <reference anchor="BLEI" quoteTitle="true" target="https://doi.org/10.1007/BFb0055716" derivedAnchor="BLEI">
          <front>
            <title>Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1</title>
            <author initials="D." surname="Bleichenbacher">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="1998"/>
          </front>
          <seriesInfo name="DOI" value="10.1007/BFb0055716"/>
          <refcontent>Advances in Cryptology -- CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, pp. 1-12</refcontent>
        </reference>
        <reference anchor="DLOG795" target="https://eprint.iacr.org/2020/697" quoteTitle="true" derivedAnchor="DLOG795">
          <front>
            <title>Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment</title>
            <author initials="F." surname="Boudot">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="P." surname="Gaudry">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A." surname="Guillevic">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Heninger">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="E." surname="Thomé">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="P." surname="Zimmermann">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2020" month="August" day="17"/>
          </front>
          <seriesInfo name="DOI" value="10.1007/978-3-030-56880-1_3"/>
          <refcontent>Cryptology ePrint Archive, Paper 2020/697</refcontent>
        </reference>
        <reference anchor="DROWN" target="https://drownattack.com/drown-attack-paper.pdf" quoteTitle="true" derivedAnchor="DROWN">
          <front>
            <title>DROWN: Breaking TLS using SSLv2</title>
            <author initials="N." surname="Aviram">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Schinzel">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Heninger">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Dankel">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Steube">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="L." surname="Valenta">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="D." surname="Adrian">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J. A." surname="Halderman">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="V." surname="Dukhovni">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="E." surname="Käsper">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Cohney">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Engels">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C." surname="Paar">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="Y." surname="Shavitt">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2016" month="August"/>
          </front>
          <refcontent>Proceedings of the 25th USENIX Security Symposium</refcontent>
        </reference>
        <reference anchor="ICA" target="https://link.springer.com/content/pdf/10.1007/978-3-319-24174-6_21.pdf" quoteTitle="true" derivedAnchor="ICA">
          <front>
            <title>Practical invalid curve attacks on TLS-ECDH</title>
            <author initials="T." surname="Jager">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Schwenk">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="September" day="21"/>
          </front>
          <seriesInfo name="DOI" value="10.1007/978-3-319-24174-6_21"/>
          <refcontent>ESORICS 2015, Part I, Lecture Notes in Computer Science, vol. 9326, pp. 407-425</refcontent>
        </reference>
        <reference anchor="MAY4" target="https://dl.acm.org/doi/pdf/10.1145/3133956.3134029" quoteTitle="true" derivedAnchor="MAY4">
          <front>
            <title>May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519</title>
            <author initials="D." surname="Genkin">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="L." surname="Valenta">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="Y." surname="Yarom">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2017" month="October" day="30"/>
          </front>
          <seriesInfo name="DOI" value="10.1145/3133956.3134029"/>
          <refcontent>Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security</refcontent>
        </reference>
        <reference anchor="NEW-BLEI" target="https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-meyer.pdf" quoteTitle="true" derivedAnchor="NEW-BLEI">
          <front>
            <title>Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks</title>
            <author initials="C." surname="Meyer">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="E." surname="Weiss">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Schwenk">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Schinzel">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="E." surname="Tews">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2014" month="August"/>
          </front>
          <refcontent>Proceedings of the 23rd USENIX Security Symposium</refcontent>
        </reference>
        <reference anchor="PARIS256" target="https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf" quoteTitle="true" derivedAnchor="PARIS256">
          <front>
            <title>The PARIS256 Attack</title>
            <author initials="S." surname="Devlin">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="F." surname="Valsorda">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2018" month="August" day="08"/>
          </front>
        </reference>
        <reference anchor="RACCOON" target="https://raccoon-attack.com/RacoonAttack.pdf" quoteTitle="true" derivedAnchor="RACCOON">
          <front>
            <title>Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)</title>
            <author initials="R." surname="Merget">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Brinkmann">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Aviram">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Mittmann">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Schwenk">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2020" month="September" day="09"/>
          </front>
        </reference>
        <reference anchor="RFC4492" target="https://www.rfc-editor.org/info/rfc4492" quoteTitle="true" derivedAnchor="RFC4492">
          <front>
            <title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</title>
            <author fullname="S. Blake-Wilson" initials="S." surname="Blake-Wilson"/>
            <author fullname="N. Bolyard" initials="N." surname="Bolyard"/>
            <author fullname="V. Gupta" initials="V." surname="Gupta"/>
            <author fullname="C. Hawk" initials="C." surname="Hawk"/>
            <author fullname="B. Moeller" initials="B." surname="Moeller"/>
            <date month="May" year="2006"/>
            <abstract>
              <t indent="0">This document describes new key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol. In particular, it specifies the use of Elliptic Curve Diffie-Hellman (ECDH) key agreement in a TLS handshake and the use of Elliptic Curve Digital Signature Algorithm (ECDSA) as a new authentication mechanism. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4492"/>
          <seriesInfo name="DOI" value="10.17487/RFC4492"/>
        </reference>
        <reference anchor="ROBOT" target="https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bock.pdf" quoteTitle="true" derivedAnchor="ROBOT">
          <front>
            <title>Return Of Bleichenbacher's Oracle Threat (ROBOT)</title>
            <author initials="H." surname="Boeck">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C." surname="Young">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2018" month="August"/>
          </front>
          <refcontent>Proceedings of the 27th USENIX Security Symposium</refcontent>
        </reference>
        <reference anchor="SUBGROUPS" target="https://eprint.iacr.org/2016/995/20161017:193515" quoteTitle="true" derivedAnchor="SUBGROUPS">
          <front>
            <title>Measuring small subgroup attacks against Diffie-Hellman</title>
            <author initials="L." surname="Valenta">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="D." surname="Adrian">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A." surname="Sanso">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Cohney">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Fried">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Hastings">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J. A." surname="Halderman">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Heninger">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2016" month="October" day="17"/>
          </front>
          <refcontent>Cryptology ePrint Archive, Paper 2016/995</refcontent>
        </reference>
        <reference anchor="TLS-REGISTRY" target="https://www.iana.org/assignments/tls-parameters" quoteTitle="true" derivedAnchor="TLS-REGISTRY">
          <front>
            <title>Transport Layer Security (TLS) Parameters</title>
            <author>
              <organization showOnFrontPage="true">IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="WEAK-DH" target="https://weakdh.org/" quoteTitle="true" derivedAnchor="WEAK-DH">
          <front>
            <title>Weak Diffie-Hellman and the Logjam Attack</title>
            <author initials="D." surname="Adrian">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="K." surname="Bhargavan">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="Z." surname="Durumeric">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="P." surname="Gaudry">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Green">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J. A." surname="Halderman">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Heninger">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="D." surname="Springall">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="E." surname="Thomé">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="L." surname="Valenta">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="B." surname="VanderSloot">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="E." surname="Wustrow">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Zanella-Béguelin">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="P." surname="Zimmermann">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="October"/>
          </front>
        </reference>
        <reference anchor="XPROT" quoteTitle="true" target="https://doi.org/10.1145/2810103.2813657" derivedAnchor="XPROT">
          <front>
            <title>On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption</title>
            <author initials="T." surname="Jager">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Schwenk">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="October"/>
          </front>
          <seriesInfo name="DOI" value="10.1145/2810103.2813657"/>
          <refcontent>Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1185-1196</refcontent>
        </reference>
      </references>
    </references>
    <section numbered="false" anchor="acks" removeInRFC="false" toc="include" pn="section-appendix.a">
      <name slugifiedName="name-acknowledgments">Acknowledgments</name>
      <t indent="0" pn="section-appendix.a-1">This document includes many important contributions from <contact fullname="Carrie Bartle"/>, who wrote much of the prose and presented it several times at the IETF TLS WG.</t>
      <t indent="0" pn="section-appendix.a-2">The document was inspired by discussions on the TLS WG mailing list and
a suggestion by <contact fullname="Filippo Valsorda"/> following the release of the Raccoon attack <xref target="RACCOON" format="default" sectionFormat="of" derivedContent="RACCOON"/>.
Thanks to <contact fullname="Christopher A. Wood"/> for writing up the initial draft of this document.
Thanks also to <contact fullname="Thomas Fossati"/>, <contact fullname="Sean Turner"/>, <contact fullname="Joe Salowey"/>, <contact fullname="Yaron Sheffer"/>, <contact fullname="Christian Buchgraber"/>, <contact fullname="John Preuß Mattsson"/>, and <contact fullname="Manuel Pégourié-Gonnard"/> for their comments and suggestions.</t>
    </section>
    <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.b">
      <name slugifiedName="name-authors-address">Author's Address</name>
      <author initials="N." surname="Aviram" fullname="Nimrod Aviram">
        <organization showOnFrontPage="true"/>
        <address>
          <email>nimrod.aviram@gmail.com</email>
        </address>
      </author>
    </section>
  </back>
</rfc>
