Re: [TLS] Call for consensus to remove anonymous DH

2015-09-17 Thread Nico Williams
On Wed, Sep 16, 2015 at 06:40:47PM -0700, Bill Frantz wrote: > I agree with both Nico and Viktor. For me the big win of RPK over > anon_(EC)DH is it allows TOFU. If TOFU isn't needed, short public > keys should ease many of Viktor's cons. I also like the idea of > simpler implementations. Eh,

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Nico Williams
On Wed, Sep 16, 2015 at 10:40:28AM -0700, Martin Thomson wrote: > On 15 September 2015 at 18:00, Joseph Salowey wrote: > > remove anonymous DH > > +1 > > It's not like we're making the use case impossible, just that the > solution will look different. And will be more costly.

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Nico Williams
On Wed, Sep 16, 2015 at 01:20:37PM -0700, Brian Smith wrote: > I think it is a good idea to remove DH_anon_* and similar ECDH_anon_* > cipher suites. > > This isn't an endorsement of the raw public key modes. Sure, one can always use self-signed certs (at an even higher cost to do anonymity).

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Eric Rescorla
In addition, they are already part of TLS, so the question would be if we have consensus to remove them -Ekr On Wed, Sep 16, 2015 at 2:01 PM, Nico Williams wrote: > On Wed, Sep 16, 2015 at 01:20:37PM -0700, Brian Smith wrote: > > I think it is a good idea to remove

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Nico Williams
On Wed, Sep 16, 2015 at 07:07:31PM -0400, Dave Garrett wrote: > This appears to just be a miscommunication. It is not. > The current poll is to remove anon ciphers in favor of raw public > keys. We're not considering removing raw public keys, as far as I > know, and I think most of us would be

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Bill Frantz
On 9/16/15 at 4:23 PM, n...@cryptonector.com (Nico Williams) wrote: Whichever one is removed, I shall oppose the removal of the other. On 9/17/15 at 5:21 PM, ietf-d...@dukhovni.org (Viktor Dukhovni) wrote: The costs are likely noticeable for 4096-bit RSA keys. In the end though, if

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Nico Williams
On Wed, Sep 16, 2015 at 02:25:52PM -0700, Brian Smith wrote: > On Wed, Sep 16, 2015 at 2:05 PM, Eric Rescorla wrote: > > > In addition, they are already part of TLS, so the question would be if we > > have > > consensus to remove them > > > > This thread is about the removal

Re: [TLS] Call for consensus to remove anonymous DH

2015-09-16 Thread Salz, Rich
Remove it. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls