Re: [TLS] Re: NIST TLS recomendations

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Simon Josefsson <jas@xxxxxxxxxxx> writes:

>I believe fully anonymous ciphers are a useful feature of TLS, and that they
>should stay.  Client/server authentication can and do happen via other
>protocols than TLS, and those protocols can use TLS channel bindings to
>protect against man in the middle attacks, if necessary.

DH_anon is very widely used for opportunistic encryption in systems supporting
STARTTLS/STLS/AUTH TLS and similar mechanisms.

(Actually that's not 100% accurate, what's used is something like DHE with a
 self-signed cert that typically isn't checked, so it's a mechanism that acts
 like DH_anon without actually being DH_anon.  So I don't know if deprecating
 DH_anon will have much effect when the situations where it would be needed
 are using other mechanisms in the manner of DH_anon.  This is an interesting
 question, are you trying to deprecate the thing labelled DH_anon, or to
 deprecate the practice of making unauthenticated connections?).

Peter.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls