On Wed 2015-09-16 20:21:11 -0400, Viktor Dukhovni wrote:
> The difference between raw public keys (RFC7250 RPK) and anon is:
>
> - PRO: Dropping anon simplifies the implementation and reduces
> cipher count.
>
> - PRO: Raw keys may facilitate TOFU pinning.
>
> - CON: Raw keys are not yet implemented in any toolkits I've seen
> (a temporary setback perhaps).
>
> - CON: Raw keys send more traffic (public key in certificate
> message, plus signature of key agreement). Byte counts can
> matter in some environments.
>
> - CON: Raw keys consume more CPU (signing the key agreement).
>
> - CON: Servers lose a simple signal that the client is not
> bothering with authentication.
and:
- PRO: passive attackers on the network lose a simple signal tha
tthe client is not bothering with authentication.
> The costs are likely noticeable for 4096-bit RSA keys.
A server concerned about CPU or bandwidth costs who would have preferred
anon_DH suites would be silly to select 4096-bit RSA, whether RPK or
cert. They should choose some small ECC key.
A client concerned about CPU who would have been fine with anon_DH will
simply not verify the signature at all.
So that leaves clients concerned about bandwidth, who pretty much have
no choice but to eat the handshake message that the server sends them
anyway :/
--dkg
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
