I'm finding myself a bit unclear on the scenario people are concerned about.
It seems like there are two potential cases:
1. You have an implementation which already does some of the algorithms
we know are susceptible to THS-type attacks.
2. You have an implementation which only does the CFRG cur
On Wed, Dec 30, 2015 at 7:40 PM, Brian Smith wrote:
> When you say "the plan," whose plan are you referring to? If you read that
> whole thread, there was a lot of well-founded opposition to that plan. And,
> that plan was never carried out. That is plain to see, as there was never a
> draft submi
On Thu, Dec 31, 2015 at 9:43 AM, Adam Langley
wrote:
> On Wed, Dec 30, 2015 at 7:40 PM, Brian Smith wrote:
> > When you say "the plan," whose plan are you referring to? If you read
> that
> > whole thread, there was a lot of well-founded opposition to that plan.
> And,
> > that plan was never ca
On 31 December 2015 at 17:54, Ilari Liusvaara wrote:
> Zero checks can already be unit-tested/interop-tested just as well.
What ekr said applies, but also this:
Yes, you can test that a given implementation does the right checks,
but you won't be checking during normal operation. If you requir
I think Watson made a good point about "omittable checks". If an
implementation A "omits" this mechanism, it should fail session establishment.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
Original Message
From: Alyssa Rowan
Sent: Thursday, December 31, 2015
On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote:
> On 31 December 2015 at 17:54, Ilari Liusvaara
> wrote:
> > Zero checks can already be unit-tested/interop-tested just as well.
>
>
> What ekr said applies, but also this:
I thought the ekr's point was that if you need THS resist
On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara
wrote:
> On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote:
> > On 31 December 2015 at 17:54, Ilari Liusvaara
> wrote:
> > > Zero checks can already be unit-tested/interop-tested just as well.
> >
> >
> > What ekr said applies, but a
On Wed, Dec 30, 2015 at 09:16:12PM -0500, Watson Ladd wrote:
> On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith wrote:
> > Watson Ladd wrote:
> >
> > Actually, because the check for non-zero result can/should/is in the
> > X25519/X448 functions themselves, the check for non-zero result is the least
>
On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote:
> On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara
> wrote:
>
> 2. Implementations which only do new algorithms can mandate EMS and not
> implement old derivation at all, provided we make that a rule here.
Well, the EMS spec already
On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara
wrote:
> On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote:
> > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <
> ilariliusva...@welho.com>
> > wrote:
> >
> > 2. Implementations which only do new algorithms can mandate EMS and not
On Thu, Dec 31, 2015 at 12:55:09PM -0800, Eric Rescorla wrote:
> On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara
> wrote:
>
> > On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote:
> > > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <
> > ilariliusva...@welho.com>
> > > wrote:
> >
Hi,
* Simon Josefsson [16/12/2015 09:44:55] wrote:
> I don't like re-keying. It is usually a sign that your primitives are
> too weak and you are attempting to hide that fact. To me, it is similar
> to discard the first X byte of RC4 output.
>
> If AES-GCM cannot provide confidentiality beyond
* Aaron Zauner [01/01/2016 07:35:26] wrote:
> This might be a good time to point again to my existing AES-OCB
> draft that hasn't really seen a lot of discussion nor love lately.
> It expired but I've recently updated the draft (not yet uploaded
> to IETF as I'm waiting for implementer feedback fr
On Fri, Jan 01, 2016 at 08:04:11AM +0100, Aaron Zauner wrote:
> * Aaron Zauner [01/01/2016 07:35:26] wrote:
> > This might be a good time to point again to my existing AES-OCB
> > draft that hasn't really seen a lot of discussion nor love lately.
> > It expired but I've recently updated the draft
14 matches
Mail list logo
