Howard Chu wrote: > Michael Ströder wrote: >> Howard Chu wrote: >>> [email protected] wrote: >>>> >>>> ..."If the client does not send a certificate, it can still connect." >>>> >>>> >>>> Does that mean that traffic is still encrypted if a certificate is not >>>> used? >>> >>> Yes. Certificates are only for authentication, not encrypting the >>> traffic. >> >> Howard, I'm sure that you already know this but let's be more precise >> with the >> wording to avoid confusing people: >> >> Strictly speaking the *client cert* is only for authentication of the >> client. >> The public key in the server cert is also used for the secure key >> exchange for >> the symmetric cipher used and thus is indirectly used for encrypting the >> traffic (besides authenticating the server). > > But certificates are not a required element for encryption of a > connection - after all, TLS also supports anonymous Diffie-Hellman key > exchange.
In theory, yes. But personally I don't know any real-world TLS deployment with anonymous Diffie-Hellman key exchange. I don't even know deployments with DSA-based certs. Ciao, Michael.
