https://github.com/tlswg/tls13-spec/issues/233
Folks, We presently have some support for DH_anon cipher suites. I agree that this is a useful use case, but it's yet another mode. I would like to suggest that we instead deprecate it and instead always use Raw Public Key mode (https://tools.ietf.org/html/rfc7250). The idea is that the client would simply indicate support for a raw public key and the server could then either (a) spin a new key for this use or (b) use a long-term one. To my mind this has three advantages: 1. Complexity: It means that we have one less operational mode. And all the public key modes would look cryptographically similar. 2. It resolves the question of how you bind to the server's identity in 0-RTT mode (https://github.com/tlswg/tls13-spec/issues/219), namely the raw public key that goes in the Certificate message. 3. It makes it easier to do an SSH-style leap-of-faith mode since the server can use the same signing key for a long time while maintaining PFS. It seems to me that the two major counterarguments are: 1. Extra computational cost from the signature. I'm not worried too much about that since generally the anonymous contexts don't do a lot of connections and we don't really want to encourage pure anonymous (i.e., non-TOFU) modes anyway. 2. It's less explicit that this is unverified. Arguably this is a feature rather than a bug. Thoughts? -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
