Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

2015-10-15 Thread Matt Caswell
On 15/10/15 00:04, Watson Ladd wrote: > On Wed, Oct 14, 2015 at 6:43 PM, Matt Caswell wrote: >> >> >> On 14/10/15 21:42, Martin Thomson wrote: >>> On 14 October 2015 at 13:29, David Benjamin wrote: If you really absolutely must support interleave and can't avoid it, I think it b

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

2015-10-15 Thread Matt Caswell
On 15/10/15 00:06, Martin Thomson wrote: > On 14 October 2015 at 15:43, Matt Caswell wrote: >> "highly dangerous idea" > > Wrong Martin. Oops. Sorry. > I agree that there is a need for caution, but in > reality, it's not like you can use renegotiation to hand-off to > someone else entirely.

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

2015-10-15 Thread Martin Rex
Is the particular interop problem that you want to address caused by a necessity to really process application data and handshake data with arbitrary interleave, or is it rather a problem of getting back into half-duplex operation, i.e. a client being able to continue receiving application data up

[TLS] New curves work and TLS

2015-10-15 Thread Ilari Liusvaara
As you might know, CFRG has been working on new curves (the document has been sent to IRSG) and is working on signatures (main issues seem to be selecting prehash for prehashed version of 448-bit signatures and KDF for 448-bit signatures). I have been thinking how to integrate this work into TLS.

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

2015-10-15 Thread Matt Caswell
On 15/10/15 14:00, Martin Rex wrote: > Is the particular interop problem that you want to address > caused by a necessity to really process application data and > handshake data with arbitrary interleave, > > or is it rather a problem of getting back into half-duplex operation, > i.e. a client b

Re: [TLS] New curves work and TLS

2015-10-15 Thread Eric Rescorla
On Thu, Oct 15, 2015 at 12:17 PM, Dave Garrett wrote: > On Thursday, October 15, 2015 09:09:39 am Ilari Liusvaara wrote: > > So, there are four primitives: Ed25519, Ed25519ph, Ed448 and > > Ed448ph. And keys MUST NOT be mixed between those. > > > > I propose the following: > > - EdDSA uses one Si

[TLS] OPTLS paper posted

2015-10-15 Thread Hugo Krawczyk
The OPTLS paper (preprint) explaining the rationale of the protocol and its analysis is posted here: http://eprint.iacr.org/2015/978. The OPTLS design provides the basis for the handshake modes specified in the current TLS 1.3 draft including 0-RTT, 1-RTT variants, and PSK modes (client authentica

Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-pinning-ticket-00.txt

2015-10-15 Thread Daniel Kahn Gillmor
On Mon 2015-10-12 09:18:17 -0400, Yaron Sheffer wrote: > I'm not familiar enough with TACK at the moment. I can write something > up, or if you'd like to contribute text, that'll be awesome. i'm not up-to-speed yet either, and am unlikely to be able to get to this soon, sorry! > IMO persisting t