Re: [TLS] Call for consensus to remove anonymous DH
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 17 September 2015 00:21 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 639FC1A90D9 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:21:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWpPdks4e5IF for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:21:12 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C23411A1BC6 for <tls@ietf.org>; Wed, 16 Sep 2015 17:21:12 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 74068284AED; Thu, 17 Sep 2015 00:21:11 +0000 (UTC)
Date: Thu, 17 Sep 2015 00:21:11 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150917002111.GD21942@mournblade.imrryr.org>
References: <CAOgPGoBT9C=pWebXShqxhbOsnqK+OZe=-n-SvZ_pH-dAtRaWXQ@mail.gmail.com> <CAFewVt7_23v18HpzzDy4ew1h66iNTBOSdP+CVBgc9T-4Z3isfA@mail.gmail.com> <20150916210113.GP13294@localhost> <CABcZeBPY6JRnLiqd=-aQQ+8kZGHa3TujSr9+hn1CSt1B_X-r=Q@mail.gmail.com> <CAFewVt64QphK5=WtAZhN8A7uhjmMZ1wc0nLOKvS8sgTRwY_vkg@mail.gmail.com> <CABcZeBM9-pa5Cn0JR0vJhiN7H=86GcmFPKgriebNi28r0zTBnQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBM9-pa5Cn0JR0vJhiN7H=86GcmFPKgriebNi28r0zTBnQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/sBk3j29QJPilYkJVmnQDckNFrIc>
Subject: Re: [TLS] Call for consensus to remove anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 00:21:14 -0000
On Wed, Sep 16, 2015 at 02:38:05PM -0700, Eric Rescorla wrote:
> The point I was making was that presently we have:
>
> - Certificates
> - Raw keys
> - Anon
>
> This proposal is to remove Anon, thus making things strictly simpler, since
> Raw keys can replace Anon but not the other way around. One might imagine
> a proposal to remove Raw keys, but that's not the question here and even if
> that failed (as I expect it would) things will still be simpler if we
> remove Anon.
The difference between raw public keys (RFC7250 RPK) and anon is:
- PRO: Dropping anon simplifies the implementation and reduces
cipher count.
- PRO: Raw keys may facilitate TOFU pinning.
- CON: Raw keys are not yet implemented in any toolkits I've seen
(a temporary setback perhaps).
- CON: Raw keys send more traffic (public key in certificate
message, plus signature of key agreement). Byte counts can
matter in some environments.
- CON: Raw keys consume more CPU (signing the key agreement).
- CON: Servers lose a simple signal that the client is not
bothering with authentication.
The costs are likely noticeable for 4096-bit RSA keys. In the end
though, if dropping anon_(EC)DH increases the chance that RPK gets
widely implemented, I can live with the cons.
--
Viktor.
- [TLS] Call for consensus to remove anonymous DH Joseph Salowey
- Re: [TLS] Call for consensus to remove anonymous … Tony Arcieri
- Re: [TLS] Call for consensus to remove anonymous … Tom Ritter
- Re: [TLS] Call for consensus to remove anonymous … Dave Garrett
- Re: [TLS] Call for consensus to remove anonymous … Nikos Mavrogiannopoulos
- Re: [TLS] Call for consensus to remove anonymous … Aaron Zauner
- Re: [TLS] Call for consensus to remove anonymous … Martin Thomson
- Re: [TLS] Call for consensus to remove anonymous … Russ Housley
- Re: [TLS] Call for consensus to remove anonymous … Andrei Popov
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Salz, Rich
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Brian Smith
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Tony Arcieri
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Brian Smith
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Dave Garrett
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams
- Re: [TLS] Call for consensus to remove anonymous … Dave Garrett
- Re: [TLS] Call for consensus to remove anonymous … Viktor Dukhovni
- Re: [TLS] Call for consensus to remove anonymous … Daniel Kahn Gillmor
- Re: [TLS] Call for consensus to remove anonymous … Viktor Dukhovni
- Re: [TLS] Call for consensus to remove anonymous … Daniel Kahn Gillmor
- Re: [TLS] Call for consensus to remove anonymous … Eric Rescorla
- Re: [TLS] Call for consensus to remove anonymous … Bill Frantz
- Re: [TLS] Call for consensus to remove anonymous … Nico Williams