Re: [TLS] Call for consensus to remove anonymous DH
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 September 2015 00:32 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A9B1A8ADF for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJs-LIE-6gUA for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:32:12 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 232201A8ABC for <tls@ietf.org>; Wed, 16 Sep 2015 17:32:12 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 78EDAF984 for <tls@ietf.org>; Wed, 16 Sep 2015 20:32:09 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 4E0331FF67; Wed, 16 Sep 2015 20:31:41 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF TLS Working Group <tls@ietf.org>
In-Reply-To: <CAOgPGoBT9C=pWebXShqxhbOsnqK+OZe=-n-SvZ_pH-dAtRaWXQ@mail.gmail.com>
References: <CAOgPGoBT9C=pWebXShqxhbOsnqK+OZe=-n-SvZ_pH-dAtRaWXQ@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Wed, 16 Sep 2015 20:31:41 -0400
Message-ID: <87h9mt6g42.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QWwduchhfj4bxqTvbR-efN7e8FQ>
Subject: Re: [TLS] Call for consensus to remove anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 00:32:13 -0000
On Tue 2015-09-15 21:00:39 -0400, Joseph Salowey wrote: > There has been some discussion to remove anonymous DH as described in > https://www.ietf.org/mail-archive/web/tls/current/msg17481.html. I think > ekr's message sums up the pros and cons well. I don't think we have > consensus on this issue yet. Please respond on this message by Monday, > September 21, if you have an opinion. I support removing anonymous DH for the server side[0] of TLS. TLS servers that want to effectively do "anonymous" DH can craft a raw public key or certificate and forge a signed_params to match. They can do this per-session if they do not want to present a persistent identity. For those worried about computational cost: the raw public key or certificate themselves do not have to be valid mathematical objects if the peer is not inclined to check them. The signed_params itself could also be all 0xff or anything you like as long as the peer isn't checking. For those concerned about bandwidth, these objects do not have to be large. This simplifies the expected messages and transitions in a TLS handshake. I think that's a good thing, given the errors we've seen already in state machine implementations. --dkg [0] I do not think that clients engaged in a DH key exchange should be uniformly required to claim an identity at the TLS layer :)
- [TLS] Call for consensus to remove anonymous DH Joseph Salowey
- Re: [TLS] Call for consensus to remove anonymous … Tony Arcieri
- Re: [TLS] Call for consensus to remove anonymous … Tom Ritter
- Re: [TLS] Call for consensus to remove anonymous … Dave Garrett
- Re: [TLS] Call for consensus to remove anonymous … Nikos Mavrogiannopoulos
- Re: [TLS] Call for consensus to remove anonymous … Aaron Zauner
- Re: [TLS] Call for consensus to remove anonymous … Martin Thomson
- Re: [TLS] Call for consensus to remove anonymous … Russ Housley
- Re: [TLS] Call for consensus to remove anonymous … Andrei Popov
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Salz, Rich
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Brian Smith
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Tony Arcieri
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Brian Smith
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Dave Garrett
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Dave Garrett
- Re: [TLS] Call for consensus to remove anonymous … Viktor Dukhovni
- Re: [TLS] Call for consensus to remove anonymous … Daniel Kahn Gillmor
- Re: [TLS] Call for consensus to remove anonymous … Viktor Dukhovni
- Re: [TLS] Call for consensus to remove anonymous … Daniel Kahn Gillmor
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Bill Frantz
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams