Re: [TLS] is it good using password for authentication only?

Also, it isn't too difficult to implement a PAKE. But there isn't a (known?) way to do it without adding rounds, if you want to protect the username. This is because the server needs the username before it can do anything with the password. Unless it has 0-RTT information the client can't en

Re: [TLS] Should we use proof-of-possession rather than signatures?

Sent from my phone. Please excuse brevity and typos. > On Nov 24, 2015, at 09:01, Eric Rescorla wrote: > > >> On Tue, Nov 24, 2015 at 8:25 AM, Bill Cox wrote: >> Much of the world seems to have switched to Schnorr-signature inspired ECC >> signature schemes such as ECDSA-P256 and Ed25519.

Re: [TLS] Explicit use of client and server random values

> On Dec 17, 2015, at 12:11 PM, Eric Rescorla wrote: > > > > On Thu, Dec 17, 2015 at 3:02 PM, Hugo Krawczyk > wrote: > I have mentioned this in private conversations but let me say this here: I > would prefer that the nonces be explicitly concatenated to the h

Re: [TLS] Explicit use of client and server random values

Whoops, big-R to reply all... > On Dec 17, 2015, at 9:39 PM, Hugo Krawczyk wrote: > > > On Thu, Dec 17, 2015 at 5:33 PM, Mike Hamburg <mailto:m...@shiftleft.org>> wrote: > > >> On Dec 17, 2015, at 12:11 PM, Eric Rescorla > <mailto:e...@rtfm.com>&g

Re: [TLS] Include Speck block cipher?

No. The goal should be to remove ciphers, not add new ones, unless we have a really compelling reason. Short source code is not a compelling reason in a protocol so complicated as TLS. Cheers, — Mike > On Mar 16, 2016, at 11:35 PM, Efthymios Iosifides > wrote: > > Hello all. > > I have ju