IETF Logo Mail Archive

Re: [TLS] Call for consensus to remove anonymous DH

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 September 2015 00:32 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A9B1A8ADF for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJs-LIE-6gUA for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:32:12 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 232201A8ABC for <tls@ietf.org>; Wed, 16 Sep 2015 17:32:12 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 78EDAF984 for <tls@ietf.org>; Wed, 16 Sep 2015 20:32:09 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 4E0331FF67; Wed, 16 Sep 2015 20:31:41 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF TLS Working Group <tls@ietf.org>
In-Reply-To: <CAOgPGoBT9C=pWebXShqxhbOsnqK+OZe=-n-SvZ_pH-dAtRaWXQ@mail.gmail.com>
References: <CAOgPGoBT9C=pWebXShqxhbOsnqK+OZe=-n-SvZ_pH-dAtRaWXQ@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Wed, 16 Sep 2015 20:31:41 -0400
Message-ID: <87h9mt6g42.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QWwduchhfj4bxqTvbR-efN7e8FQ>
Subject: Re: [TLS] Call for consensus to remove anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 00:32:13 -0000

On Tue 2015-09-15 21:00:39 -0400, Joseph Salowey wrote:
> There has been some discussion to remove anonymous DH as described in
> https://www.ietf.org/mail-archive/web/tls/current/msg17481.html.  I think
> ekr's message sums up the pros and cons well.  I don't think we have
> consensus on this issue yet.  Please respond on this message by Monday,
> September 21, if you have an opinion.

I support removing anonymous DH for the server side[0] of TLS.  TLS
servers that want to effectively do "anonymous" DH can craft a raw
public key or certificate and forge a signed_params to match.  They can
do this per-session if they do not want to present a persistent
identity.

For those worried about computational cost: the raw public key or
certificate themselves do not have to be valid mathematical objects if
the peer is not inclined to check them.  The signed_params itself could
also be all 0xff or anything you like as long as the peer isn't
checking.  For those concerned about bandwidth, these objects do not
have to be large.

This simplifies the expected messages and transitions in a TLS
handshake.  I think that's a good thing, given the errors we've seen
already in state machine implementations.

         --dkg
         
[0] I do not think that clients engaged in a DH key exchange should be
    uniformly required to claim an identity at the TLS layer :)

v2.23.0 | Report a Bug | By Email