Ian Grigg <[EMAIL PROTECTED]>: > I agree. As a side note, I think it is probably > a good idea for TLS to deprecate ADH, simply > because self-signed certs are more or less > equivalent, and by unifying the protocol around > certificates, it reduces some amount of complexity > without major loss of functionality.
Actually the "anonymous" DH ciphersuites can be (and are) employed to implement *authenticated* DH by using non-TLS means for authentication. (Specifically, what you can do is authenticate the TLS Finished messages, which involve hashes of the complete handshake.) This can be useful for using TLS in protocols without tainting them with X.509, and without creating specific new TLS ciphersuites. It is true that TLS would be (slightly) less complex if it didn't have both certificate-based and certificate-less ciphersuites. But TLS as employed in such protocols would become more complex if you had to use self-signed certificates (meaning that implementations would have to be able to parse X.509 stuff that currently can do without it). Also note that using a self-signed certificate means that you actually have to sign it (after all, the peer might try and "verify" it). This means additional private-key operations, and thus makes the protocol slower. Bottom line: Deprecating TLS ADH in favor of self-signed certificates would reduce complexity in a certain sense, but add complexity in other contexts. It also would make the handshake slower. I don't think it would be a good idea. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
