On Tue, May 24, 2016 at 05:08:38PM +0000, Salz, Rich wrote:
> > 2) Are the same encryption keys used every time with ADH?
>
> Yes. That's the other BIG reason :) You really want ephemeral, and therefore ECDH
NO, Rich is making a mistake, ADH is ephemeral of necessity, since
without long-term keys in certificates it is impossible to use
long-term keys whose disclosure might later compromise confidentiality.
> > 3) Is it possible to use ephemeral DH without using certificates? I was not
> > able to get that to work.
>
> Yes. This is "null" auth.
Essentially:
aNULL == (ADH || AECDH).
--
Viktor.
