[Cryptography] At what point should people not use TLS?

[fcorella at pomcor.com]

Trevor Perring and Stephen Farrell have both referred to the design
goal of zero round trips.  I just wanted to point out that in our
secure channel design pattens <https://pomcor.com/techreports/M2MSec14.pdf> we easily achieve zero round trips, even
when the client and server have had no prior interaction, by
retrieving the server's long-term public key from the DNS rather than
from the server itself.  (More precisely, we retrieve information
needed to compute the public key.)  Which also has an obvious security
benefit besides achieving zero round trips.

This would be difficult to do in TLS, because the client would have to
retrieve the server's certificate chain, and the DNS may not be able
to supply that much data without hiccups.  We do not have that problem
because our design patterns are based on identity-based cryptography,
and the amount of data to be retrieved is very small.  Actually, in
small deployments no data needs to be retrieved at all, since the
server's public key is computed from its identity.  In a global
deployment, the client retrieves the identity of the private key
generator (PKG) that it uses, and a chain of identities of
higher-level PKGs up to a root PKG.  (PKGs are analogous to CAs.)  The
public key is computed from the public key of the root PKG and the
identities of the other PKGs, but the public key of the root PKG does
not have to be retrieved because it is present in the client (just
like the public key of a root CA in the TLS PKI).  So neither public
keys nor certificates need to be retrieved.

Francisco


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160412/3eff2b07/attachment.html>