anonymous DH & MITM
Tim Dierks
tim at dierks.org
Thu Oct 2 12:36:18 EDT 2003
At 11:50 PM 10/1/2003, Ian Grigg wrote:
>(AFAIK, self-signed certs in every way dominate
>ADH in functional terms.)
In TLS, AnonDH offers forward secrecy, but there are no RSA certificate
modes which do (except for ExportRSA). You can use ephemeral DH key
agreement keys with static certified DSA keys, though.
To be clear, this is a protocol issue, not really a self-signed certs vs.
DH issue. The only real difference between a self-signed cert and an
ephemeral bare public key is that you've got proof of private key
possession by somebody (if that matters to you), and the entity has bound a
self-asserted name & attributes to the key. Also, our extant infrastructure
makes it easier to cache a once-presented X.509 certificate for consistency
with future transactions, and self-signed certs fit more cleanly into a
hybrid model where some entities are trusted due to third-party
certification and some are directly approved.
- Tim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list