Hi Peter,
We discussed this among the [DOWLING] authors; Douglas asked me to chime
in here as he's offline the next couple of days.
It is indeed true that the PRF-ODH assumption, as stated in [DOWLING]
and https://ia.cr/2017/517, wouldn't be compatible when using the
x-coordinate only, or wi
Dear all,
Douglas and the other "TLS co-authors" discussed this briefly, but I
think that Douglas is offline for the next couple of days and asked me
if I could answer on behalf of the authors.
It is indeed true that the PRF-ODH assumption, as stated, wouldn't be
comaptible with the usage of
I also support adoption of this draft.
I share David's observation that the client and server could simultaneously
initiate an Extended Key Update, but I had a different mitigation in mind: each
side chooses a random value and the higher value wins if there is another
ExtendedKeyUpdate alread
