Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx

Manuel Pégourié-Gonnard <mpg@polarssl.org> Wed, 12 March 2014 09:12 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1B41A0934 for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 02:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.394
X-Spam-Level:
X-Spam-Status: No, score=0.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdaC8fecv9Ps for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 02:12:29 -0700 (PDT)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id 67B081A092F for <tls@ietf.org>; Wed, 12 Mar 2014 02:12:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=NN/aUzy0vsF2GrAuefHIfieZygXdFwylM8CMIdjFvNI=; b=fGNqYs9t3gKoI/u7q7ERnCB5cv+RpYhJ4ldnHsXCO/GPj24GkY7q/Az73TIEvi0jd+pnxRJH6zJIsVMmY0t/PrHU2M3eUqJtjFr9Shq3HZG6nHx1enfnNduxLWJxaPXycPa4TzIlhg5zuzIOOaKhT7dHcG5UJgpoWPDZEDem7SY=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.brainspark.nl with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1WNfDE-0004vi-UU for tls@ietf.org; Wed, 12 Mar 2014 10:12:34 +0100
Message-ID: <532024EF.4060607@polarssl.org>
Date: Wed, 12 Mar 2014 10:12:15 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAK3OfOgw70LVQsykxNZSH9+4Dn2inBTx0q0KrvujS1LOY1i9tg@mail.gmail.com>
In-Reply-To: <CAK3OfOgw70LVQsykxNZSH9+4Dn2inBTx0q0KrvujS1LOY1i9tg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/MZnE-Id4l0El66w6Ak_1NeeGExA
Subject: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 09:12:30 -0000

Hi,

On 03/11/2014 11:49 PM, Nico Williams wrote:
> This is a big problem for anything that wants to do opportunistic TLS
> (e.g., MTAs, like Postfix).
> 
Sorry if I'm missing something obvious, but why would ECDH_anon be a requirement
for opportunistic TLS? Can't we just use certificates and not validate them?

Or are you rather interested in the performance gain of ECDH_anon over
authenticated and forward-secure key exchanges?

Manuel.