RE: [TLS] Re: NIST TLS recomendations

[<Pasi.Eronen@xxxxxxxxx>]

Bodo Moeller wrote:

> This is exactly right, however it certainly is reasonable to add some
> language to the specification that points out that these ciphersuites
> should *usually* not be enabled.  Here is a proposal for A.5.
> 
>    The following cipher suites are used for completely anonymous
>    Diffie- Hellman communications in which neither party is
>    authenticated. Note that this mode is vulnerable to
>    man-in-the-middle attacks.  Using this mode therefore is
>    deprecated: These ciphersuites MUST NOT be used by TLS 1.1
>    implementations unless the application layer has specifically
>    requested to allow anonymous key exchange.  (Anonymous key
>    exchange may sometimes be acceptable, for example, to support
>    opportunistic encryption when no set-up for authentication is in
>    place, or when TLS is used as part of more complex security
>    protocols that have other means to ensure authentication.)

I'm not sure if "deprecated" is the right word to use; at least to me
it suggests that the feature is obsolete, and users should not expect
it to be supported in the future.

This is not the case here: DH_anon ciphersuites are just a feature
with very special and limited use cases (that are quite different 
from all the other ciphersuites). Thus, the requirement "MUST NOT be
used ... unless the application layer has specifically requested to
allow anonymous key exchange" sounds right to me. (But it should
be "TLS 1.2 implementations", not 1.1 :-)

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls