On Tue 2015-09-15 21:00:39 -0400, Joseph Salowey wrote:
> There has been some discussion to remove anonymous DH as described in
> https://www.ietf.org/mail-archive/web/tls/current/msg17481.html. I think
> ekr's message sums up the pros and cons well. I don't think we have
> consensus on this issue yet. Please respond on this message by Monday,
> September 21, if you have an opinion.
I support removing anonymous DH for the server side[0] of TLS. TLS
servers that want to effectively do "anonymous" DH can craft a raw
public key or certificate and forge a signed_params to match. They can
do this per-session if they do not want to present a persistent
identity.
For those worried about computational cost: the raw public key or
certificate themselves do not have to be valid mathematical objects if
the peer is not inclined to check them. The signed_params itself could
also be all 0xff or anything you like as long as the peer isn't
checking. For those concerned about bandwidth, these objects do not
have to be large.
This simplifies the expected messages and transitions in a TLS
handshake. I think that's a good thing, given the errors we've seen
already in state machine implementations.
--dkg
[0] I do not think that clients engaged in a DH key exchange should be
uniformly required to claim an identity at the TLS layer :)
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
