On Friday, October 09, 2015 04:38:00 pm Viktor Dukhovni wrote:
> So even 2^{-48} is perhaps not quite low enough.Going to a full 64-bit looks like a good idea to me. The loss of those 4 bytes of entropy for old versions isn't likely to matter at all, though, please correct me if someone thinks otherwise. On a related note, I think it might be a good idea to add a note somewhere stating that TLS 1.3 now only uses the hello random values indirectly, but they're still used via the session hash. On a tangential note, if anyone sees the need to increase the entropy introduced in the hellos, a supplemental random extension sent by both endpoints would be trivial to create with the current design. (questioning the size of the randoms here is an explicit question in the current TLS WG charter, as is the topic of additional downgrade mechanisms) Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
