> On Nov 24, 2015, at 12:27 PM, Hugo Krawczyk <h...@ee.technion.ac.il> wrote:
> On Tue, Nov 24, 2015 at 12:53 PM, Mike Hamburg <m...@shiftleft.org
> <mailto:m...@shiftleft.org>> wrote:
>
> I agree that the speed and size savings are not necessarily worth the
> complexity. If we were rolling a new protocol from scratch they probably
> would be though.
>
> The all-DH-based solution, with DH certificates, does not add complexity but
> rather simplifies the protocol and analysis, and opens the option of more
> efficient protocols (e.g. MQV-like ones). But the world does not seem ready
> to depart from the beloved signature certificates.
>
> Hugo
I agree for new protocols, but the proposal for TLS isn’t all-DH. It’s
allowing both all-DH and DHE+sign. That’s more complex than just allowing
DHE+sign. But I suppose the difference in TLS as proposed is really just
putting a DH+MAC in CertificateVerify instead of a signature, which isn’t a
complicated difference.
Sorry to be negative. I really do like all-DH for simplicity, compactness and
speed, especially if IP-encumbered algorithms are available. I’m not against
its inclusion in TLS if others think it’s worth the complexity of adding
another option. But I’m grumpy because this thread started with an insecure
proposal justified using incorrect numbers.
— Mike
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
