IETF Logo Mail Archive

Re: [TLS] Call for consensus to remove anonymous DH

Nico Williams <nico@cryptonector.com> Wed, 16 September 2015 21:01 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88BE11A1B1F for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 14:01:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2L9QaZQv1cnM for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 14:01:51 -0700 (PDT)
Received: from homiemail-a113.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4761A1B3F for <tls@ietf.org>; Wed, 16 Sep 2015 14:01:16 -0700 (PDT)
Received: from homiemail-a113.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTP id 8327520058DA3; Wed, 16 Sep 2015 14:01:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=/tJW/nMMYoHRB5 607HTjo2yY9dg=; b=Uz7v0KuG9uy69hKC6kqqZ+5+axv64CJzSJzYHOk6GpVKn5 C01nUIdBM/dGsMAqxL+hV+ItZ6kPhf9aT+udTgTKduhPe3AKOCJkY7gGvC/m9xx6 x0DLgKZIVCzF5o1IVuKZ3Lr+cXBNEDP61dKPGHqpsOb499VHkJx7jy+Dwxtv0=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTPA id 15F9520058D97; Wed, 16 Sep 2015 14:01:15 -0700 (PDT)
Date: Wed, 16 Sep 2015 16:01:14 -0500
From: Nico Williams <nico@cryptonector.com>
To: Brian Smith <brian@briansmith.org>
Message-ID: <20150916210113.GP13294@localhost>
References: <CAOgPGoBT9C=pWebXShqxhbOsnqK+OZe=-n-SvZ_pH-dAtRaWXQ@mail.gmail.com> <CAFewVt7_23v18HpzzDy4ew1h66iNTBOSdP+CVBgc9T-4Z3isfA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAFewVt7_23v18HpzzDy4ew1h66iNTBOSdP+CVBgc9T-4Z3isfA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dulXUCJNpQ5zdbmmYoPoWOpgbZo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus to remove anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 21:01:52 -0000

On Wed, Sep 16, 2015 at 01:20:37PM -0700, Brian Smith wrote:
> I think it is a good idea to remove DH_anon_* and similar ECDH_anon_*
> cipher suites.
> 
> This isn't an endorsement of the raw public key modes.

Sure, one can always use self-signed certs (at an even higher cost to do
anonymity).  If we're going to raise the cost of anonymity for the sake
of simplicity in TLS 1.3, do let's try to keep that cost from
escalating.  Raw public keys are not a large additional complexity cost.

v2.23.0 | Report a Bug | By Email