[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Re: NIST TLS recomendations

To: bmoeller@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx
Subject: Re: [TLS] Re: NIST TLS recomendations
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 02 Nov 2006 22:57:01 +1300
Cc: tls@xxxxxxxxxxxxxx, jas@xxxxxxxxxxx
In-reply-to: <20061102084802.GA3760@xxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

Bodo Moeller <bmoeller@xxxxxxx> writes:

>   Note that using non-anonymous key exchange but not verifying the
>   certificate is essentially equivalent to anonymous key exchange,
>   and the same precautions apply.  While non-anonymous key exchange
>   will generally involve a higher computational and communicational
>   cost than anonymous key exchange, it may be in the interest of
>   interoperability not to disable non-anonymous key exchange when the
>   application layer is allowing anonymous key exchange.

OK, that gets my grunt of approval :-).  However, I've just thought of another
issue, is it worth noting the special case of a potential DH_anon with TLS-
PSK?  Currently there are no DH_anon_PSK suites defined, but it would seem
that one of the goals of TLS-PSK (operation on low-powered devices) would be
met by DH_anon_PSK, since the PSK avoids the need for the unnecessary cert
verification.  So maybe the text could include an additional note, something
like "In some cases additional authentication mechanisms like TLS-PSK may
obviate the need for conventional authenticated DH, since mutual
authentication is being provided by the use of TLS-PSK alongside the DH
exchange.  In other words even though a DH_anon_PSK suite would contain the
term 'anon', it's not really anonymous DH" (the same obviously goes for other
auth.mechanisms added to "anonymous" DH like SRP).

Alternatively, maybe DH_anon needs a special name when used with TLS-PSK,
something like "DH_PSK" without the "anon" bit.  This follows the pattern set
by TLS-SRP, which uses "TLS_SRP_..." even though, in conventional TLS terms,
what it's doing is TLS_DH_anon for those SRP suites that don't use server
certs.

Peter.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Re: NIST TLS recomendations
  - From: Pasi.Eronen
- Re: [TLS] Re: NIST TLS recomendations
  - From: Bodo Moeller

References:
- Re: [TLS] Re: NIST TLS recomendations
  - From: Bodo Moeller

Prev by Date: [TLS] Re: NIST TLS recomendations
Next by Date: Re: [TLS] Re: NIST TLS recomendations
Previous by thread: Re: [TLS] Re: NIST TLS recomendations
Next by thread: Re: [TLS] Re: NIST TLS recomendations
Index(es):
- Date
- Thread