On Mon, Aug 31, 2015 at 09:48:10AM -0700, Eric Rescorla wrote: > On Mon, Aug 31, 2015 at 9:45 AM, Nico Williams <n...@cryptonector.com> > wrote: > > How would we get rid of PSK [without DH]? What would the impact be on > > IoT devices? Could we have a fake-DH-and-signature PSK scheme to make > > it easy on IoTs? > > I guess I wasn't clear: I'm not in favor of getting rid of PSK. I'm > saying that even if we still have PSK, removing DH_anon as an explicit > mode makes things simpler.
I wasn't either. I was asking about requiring the use of DH [and a server signature] when using PSK. Let's get back to removing DH_anon for a minute. What would the impact be on TCPINC proposals using TLS as their basis? They really need anonymity, leaving it to the application to do channel binding. (The application might be using TLS itself, oddly enough.) Do we really want to force servers to generate an unnecessary signing key, compute an unnecessary signature, and to then force clients to verify said unnecessary signature (if they don't then there's a subliminal channel)?? I think "no", unless the signature algorithm used is cheap [and weak], which probably adds other complications. Back to PSK: How is PSK with PFS going to work? How is PSK w/o PFS going to work? Anyways, my current take is that we should not get rid of the DH_anon ciphersuites. I grant that the existing applications (ignoring TPCINC?) could take the performance hit, but in the longer term it seems likely to be more problematic than helpful. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
