RE: [TLS] Re: NIST TLS recomendations

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

<Pasi.Eronen@xxxxxxxxx> writes:

>RFC 4279 does have "DHE_PSK" suites (Diffie-Hellman authenticated with a PSK;
>nothing anonymous there). Is this what you meant by DH_anon_PSK, or something
>else?

Sort of.  It's a naming problem, the main TLS spec uses 'DH_anon' to mean 'key
exchange without certificates', while the TLS-PSK spec uses 'DHE_PSK' to mean
'key exchange without certificates (but with mutual authentication via PSK)'
(re-reading my earlier posting, I was pretty unclear on this :-).  My concern
was that phrasing the authentication check purely as "verifying the
certificate" (as in, for example, Bodo's suggested text) would cause problems
if that were taken to apply to the PSK suites (and SRP and others) where
there's no certificate to verify.  Perhaps the "verifying the certificate"
could be generalised to something like "authenticating the key exchange, for
example by verifying the certificate".  As the text currently only applies to
DH_anon it's not a problem, but if there's ever any scope creep (the text gets
applied elsewhere, copied into the security considerations section, ...) it's
going to conflict with SRP, PSK, and other non-certificate based
authentication mechanisms.

Peter.


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls