Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx

To: "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>, "<tls%ietf.org@localhost>" <tls%ietf.org@localhost>
Subject: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 13 Mar 2014 04:50:32 +0000

Daniel Kahn Gillmor <dkg%fifthhorseman.net@localhost> writes:

>0) either the software or the admin must manually provision the certificate
>for the server; this means making decisions about questions that don't
>necessarily have any good answers, which is not a situation you want your
>users to be in.  Servers operating in a pool now need to have some sort of
>secret key distribution mechanism, for example.

One option for this is for the server to auto-generate the cert on first
install/setup.  The alternative that's currently used on way too many devices
is for them to have a pre-generated generic cert with incorrect ID information
with the private key shared across all devices.

Peter.

Follow-Ups:
- Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
  - From: Alyssa Rowan

Prev by Date: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Next by Date: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
Previous by Thread: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Next by Thread: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
Indexes:

Home | Main Index | Thread Index | Old Index