[14432] in cryptography@c2.net mail archive
Re: anonymous DH & MITM
daemon@ATHENA.MIT.EDU (Tim Dierks)
Thu Oct 2 15:29:18 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 02 Oct 2003 12:36:18 -0400
To: iang@systemics.com
From: Tim Dierks <tim@dierks.org>
Cc: Cryptography list <cryptography@metzdowd.com>
In-Reply-To: <3F7BA069.DE455E61@systemics.com>
At 11:50 PM 10/1/2003, Ian Grigg wrote:
>(AFAIK, self-signed certs in every way dominate
>ADH in functional terms.)
In TLS, AnonDH offers forward secrecy, but there are no RSA certificate
modes which do (except for ExportRSA). You can use ephemeral DH key
agreement keys with static certified DSA keys, though.
To be clear, this is a protocol issue, not really a self-signed certs vs.
DH issue. The only real difference between a self-signed cert and an
ephemeral bare public key is that you've got proof of private key
possession by somebody (if that matters to you), and the entity has bound a
self-asserted name & attributes to the key. Also, our extant infrastructure
makes it easier to cache a once-presented X.509 certificate for consistency
with future transactions, and self-signed certs fit more cleanly into a
hybrid model where some entities are trusted due to third-party
certification and some are directly approved.
- Tim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
