On Wed, Sep 16, 2015 at 08:31:41PM -0400, Daniel Kahn Gillmor wrote:
> For those worried about computational cost: the raw public key or
> certificate themselves do not have to be valid mathematical objects if
> the peer is not inclined to check them.
That's not generally possible. Many servers support a mixture of
clients, some of which authenticate, and others not. If a server
agrees to a cipher that requires signatures, it needs to sign.
> The signed_params itself could
> also be all 0xff or anything you like as long as the peer isn't
> checking.
Without "anon_(EC)DH" ciphers in the client HELLO, there's no "I'm
not checking" signal.
> For those concerned about bandwidth, these objects do not
> have to be large.
Absent a client signal, this is generally not viable.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
