Ludwig, Hannes, The differences with RFC7250 are twofold: 1. The raw public keys are not exchanged in the handshake sequence. Even with cached info (RFC7924), a fingerprint of the certificate (or raw public key) is exchanged. Also, a ClientVerify message is needed if mutual authentication is required (which is automatic with 3ECDH). These extra elements add to the size of the handshake exchange. They also identify the sender (whereas my draft encrypts the client identity), which can be an issue if privacy of the session endpoints is important.
2. ECDH cannot be used as a raw public key; instead ECDSA or EdDSA is needed. But ECDH is also needed if the handshake includes perfect forward secrecy (highly recommended/mandatory, depending on usage). Therefore the client has to implement two algorithms and may need to implement fast versions of both of them to reduce latency in session establishment. Using 3ECDH, the client only needs a single algorithm; if EdDSA is needed anyway (e.g. for code signing), then a slow version may be used which saves code-space and data-space. -- Tony > -----Original Message----- > From: Ace [mailto:[email protected]] On Behalf Of Ludwig Seitz > Hi Tony, > > could you explain the differences between your draft and the (D)TLS > handshake with raw public keys (https://tools.ietf.org/html/rfc7250)? > > /Ludwig > https://www.ietf.org/mailman/listinfo/ace Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment. Dyson may monitor email traffic data and content for security & training. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
