On 11 August 2015 at 11:25, Karthikeyan Bhargavan <karthik.bharga...@gmail.com> wrote: > No, a regular ECDSA certificate would do. > That is, the attack would work as long as > - a client has an ECDSA certificate, and > - it enables any static TLS_ECDH_* cipher suite, and > - its ECDSA private key has been stolen (or chosen) by an attacker.
I don't see how that would work. A client that understands the cert to be ECDSA won't pair the key with the server's ECDH share, they will sign the session transcript with it. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
