Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 12 March 2014 12:59 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7CAA1A0984 for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 05:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MtLEI2uB6Nxd for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 05:59:51 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5467F1A096E for <tls@ietf.org>; Wed, 12 Mar 2014 05:59:51 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 2E95FF984; Wed, 12 Mar 2014 08:59:43 -0400 (EDT)
Message-ID: <53205A3F.5080802@fifthhorseman.net>
Date: Wed, 12 Mar 2014 08:59:43 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>, tls@ietf.org
References: <CAK3OfOgw70LVQsykxNZSH9+4Dn2inBTx0q0KrvujS1LOY1i9tg@mail.gmail.com> <532024EF.4060607@polarssl.org>
In-Reply-To: <532024EF.4060607@polarssl.org>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Cre2aXLRPQL9oLA2E3xmhL4BKLdg7JFtE"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YFMrByR8PSpKnvWL9yDjuBQ54Tk
Subject: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 12:59:53 -0000

On 03/12/2014 05:12 AM, Manuel Pégourié-Gonnard wrote:

> Sorry if I'm missing something obvious, but why would ECDH_anon be a requirement
> for opportunistic TLS? Can't we just use certificates and not validate them?

using certificates and expecting the peer to not validate them has a
couple downsides:

 0) either the software or the admin must manually provision the
certificate for the server; this means making decisions about questions
that don't necessarily have any good answers, which is not a situation
you want your users to be in.  Servers operating in a pool now need to
have some sort of secret key distribution mechanism, for example.

 1) as peers start using TOFU-like mechanisms (which cannot be
controlled or even necessarily observed by the server itself, the
choices made in (0) become relevant -- want to rotate your key?  want to
deploy a "real" certificate?  want to deploy a certificate issued by
your private CA? all of a sudden your server's identity has changed from
one explicit identity to another.

In the anon case, you can have simple, automatic, configuration-less
deployment that makes no claims of identity at all.

> Or are you rather interested in the performance gain of ECDH_anon over
> authenticated and forward-secure key exchanges?

the performance difference on the server side is one RSA or ECDSA
signature per connection; i don't think this is likely to be a large
factor, though i guess it depends on the key size.

	--dkg