(AFAIK, self-signed certs in every way dominate ADH in functional terms.)
In TLS, AnonDH offers forward secrecy, but there are no RSA certificate modes which do (except for ExportRSA). You can use ephemeral DH key agreement keys with static certified DSA keys, though.
To be clear, this is a protocol issue, not really a self-signed certs vs. DH issue. The only real difference between a self-signed cert and an ephemeral bare public key is that you've got proof of private key possession by somebody (if that matters to you), and the entity has bound a self-asserted name & attributes to the key. Also, our extant infrastructure makes it easier to cache a once-presented X.509 certificate for consistency with future transactions, and self-signed certs fit more cleanly into a hybrid model where some entities are trusted due to third-party certification and some are directly approved.
- Tim
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
