On Fri, Aug 28, 2015 at 06:33:17PM +0000, Viktor Dukhovni wrote: > On Fri, Aug 28, 2015 at 11:07:02AM -0700, Martin Thomson wrote: > Furthermore, anon-DH has strong privacy properties, the server > sends no identity information, not even a public key. Any > channel-binding at the next layer is privacy protected.
Using raw public signature keys doesn't change that. It just requires generating a signature key every time. For devices/protocols where DH_anon is common (perhaps because they do channel binding) the proposal at hand is annoying and CPU-wasting, but hardly fatal. I'm not sure how I feel about this. The idea that we always do a DH key exchange and always have a server signature means we can greatly reduce the number of ciphersuites, so that's quite helpful. We'd have to apply this to PSK too to make it really worthwhile. > My view is that anon_DH should either be supported properly (be > defined for the same symmetric cipher combinations as ciphersuites > with certs or public keys) or as proposed not supported at all. Yes, DH_anon should be first-class. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
