On Wed, Sep 16, 2015 at 02:38:05PM -0700, Eric Rescorla wrote:
> The point I was making was that presently we have:
>
> - Certificates
> - Raw keys
> - Anon
>
> This proposal is to remove Anon, thus making things strictly simpler, since
> Raw keys can replace Anon but not the other way around. One might imagine
> a proposal to remove Raw keys, but that's not the question here and even if
> that failed (as I expect it would) things will still be simpler if we
> remove Anon.
The difference between raw public keys (RFC7250 RPK) and anon is:
- PRO: Dropping anon simplifies the implementation and reduces
cipher count.
- PRO: Raw keys may facilitate TOFU pinning.
- CON: Raw keys are not yet implemented in any toolkits I've seen
(a temporary setback perhaps).
- CON: Raw keys send more traffic (public key in certificate
message, plus signature of key agreement). Byte counts can
matter in some environments.
- CON: Raw keys consume more CPU (signing the key agreement).
- CON: Servers lose a simple signal that the client is not
bothering with authentication.
The costs are likely noticeable for 4096-bit RSA keys. In the end
though, if dropping anon_(EC)DH increases the chance that RPK gets
widely implemented, I can live with the cons.
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
