Couple of comments below.
On Fri, Feb 19, 2016 at 9:14 AM, Eric Rescorla wrote:
>
>
> On Fri, Feb 19, 2016 at 2:12 AM, Karthikeyan Bhargavan <
> karthik.bharga...@gmail.com> wrote:
>
>>
>> Note that this is (almost) exactly the original KDF scheme of OPTLS as I
>> presented in Dallas
>>
>>
>> In
On Fri, Feb 19, 2016 at 07:14:44AM -0700, Eric Rescorla wrote:
> On Fri, Feb 19, 2016 at 2:12 AM, Karthikeyan Bhargavan <
> karthik.bharga...@gmail.com> wrote:
>
> >
> > Note that this is (almost) exactly the original KDF scheme of OPTLS as I
> > presented in Dallas
> >
> >
> > Indeed, Ekr’s propo
On Fri, Feb 19, 2016 at 2:12 AM, Karthikeyan Bhargavan <
karthik.bharga...@gmail.com> wrote:
>
> Note that this is (almost) exactly the original KDF scheme of OPTLS as I
> presented in Dallas
>
>
> Indeed, Ekr’s proposed scheme looks much like you original diagram.
>
I would like to clarify that
> Note that this is (almost) exactly the original KDF scheme of OPTLS as I
> presented in Dallas
Indeed, Ekr’s proposed scheme looks much like you original diagram.
> Anyway, from here you can see that the last HKDF in your scheme (with 0 salt)
> is not needed. You can derive the RMS, EMS keys d
I agree that once you remove the requirement to derive a key from g^xy (=ES)
for protecting a static DH key then the KDF scheme can be simplified as
shown
(or even further - see below).
Note that this is (almost) exactly the original KDF scheme of OPTLS as I
presented in Dallas
https://www.ietf.or
Hi folks,
TL;DR.
Let's simplify the key schedule.
DETAILS
This is the second in a series of proposed simplifications to TLS 1.3
based on implementation experience and analysis once the protocol
starts to harden. The following suggestion comes out of conversations
with Richard Barnes, Karthik Bh
