My thanks to Russ for presenting the two alternatives.
I would want the Ephemeral-Static D-H to be included. I'll abbreviate
this as ES and the alternative as SS.
Let me outline my reasons.
1. ES does not force authentication. With SS there is an implied
signature which would make such messages traceable: effectively forcing
the originator to sign everything. Personally I don't want to be forced
to sign everything I send.
There was a requirement to add anon DH to the current CMS for this
reason. Jim Schaad wrote in a message on 28 May:
At the December working group meeting, this was expressed as a desire from
the S/MIME side of CMS. People working for groups like Amnesty
International wanted to be able to send anonymous mail which could not be
traced back to them without having decrypted the message.
2. SS requires a fixed set of parameters. What happens if, in future,
some weakness is found in the chosen common parameter set? This could
prove painful to modify.
3. As I understand it SS has some additional security concerns. In
particular the originator's private key needs to be accessed: this can
cause considerable problems for automated systems (e.g. encrypted
mailing lists). Systems which need to be restartable without the
operator entering a password may be forced to either store the private
key unencrypted, rely on fixed "security by obscurity" keys or use some
In ES all that is needed is the recipient's public keys. A one time key
pair is generated in each case but it is discarded after use. This does
not require access to any sensitive information and it is much more
secure in automated environments.
In the SS case if an attacker obtains the private key while the process
is taking place then all future messages involving the originator can be
decrypted. In the ES case only the one message can be read.
4. The ES properties are very similar to those of the RSA equivalent for
key transport, which many are more familiar with.
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
PGP key: via homepage.