On Mon, Aug 31, 2015 at 9:13 AM, Nico Williams <n...@cryptonector.com> wrote:
> On Fri, Aug 28, 2015 at 06:33:17PM +0000, Viktor Dukhovni wrote: > > On Fri, Aug 28, 2015 at 11:07:02AM -0700, Martin Thomson wrote: > > Furthermore, anon-DH has strong privacy properties, the server > > sends no identity information, not even a public key. Any > > channel-binding at the next layer is privacy protected. > > Using raw public signature keys doesn't change that. It just requires > generating a signature key every time. > > For devices/protocols where DH_anon is common (perhaps because they do > channel binding) the proposal at hand is annoying and CPU-wasting, but > hardly fatal. > > I'm not sure how I feel about this. The idea that we always do a DH key > exchange and always have a server signature means we can greatly reduce > the number of ciphersuites, so that's quite helpful. We'd have to apply > this to PSK too to make it really worthwhile. Certainly it would be nice to get rid of PSK too but just getting rid of DH_anon makes a non-trivial difference. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
