We presently have some support for DH_anon cipher suites. I agree that this
is a useful use case, but it's yet another mode.
I would like to suggest that we instead deprecate it and instead always use
the client would simply indicate support for a raw public key and the
server could then either (a) spin a new key for this use or (b) use a long-term
one. To my mind this has three advantages:
1. Complexity: It means that we have one less operational mode. And all the public key
modes would look cryptographically similar.
2. It resolves the question of how you bind to the server's identity in 0-RTT mode
that goes in the Certificate message.
3. It makes it easier to do an SSH-style leap-of-faith mode since the server can
use the same signing key for a long time while maintaining PFS.
It seems to me that the two major counterarguments are:
1. Extra computational cost from the signature. I'm not worried too much
about that since generally the anonymous contexts don't do a lot of connections
and we don't really want to encourage pure anonymous (i.e., non-TOFU) modes
2. It's less explicit that this is unverified. Arguably this is a feature rather than