On Wed, Oct 21, 2015 at 11:01:45AM -0700, Eric Rescorla wrote: > Folks, > > At the Seattle interim, we decided to have a small ad hoc design team > go and figure out how to harmonize the various forms of client > authentication. I've posted a WIP version of the output of that work > at: > > https://github.com/tlswg/tls13-spec/pull/316 > > > So, what this draft does is adopt the following three messages. > > Certificate > CertificateVerify > Finished > > As the "TLS Authentication Block" and send them whenever we want to do > authentication. [Note that we may eventually merge messages here, but > that doesn't affect the logic.] > > In every case, the input to the block would be: > > - A session context (SC) which is (generally) the handshake > transcript up to this point. > - A base key to compute the finished key from (the finished > keys are directional, so the client and server keys are > different). > > And then the signature covers: SC + Certificate > And the MAC covers SC + Certificate + CertificateVerify
Perhaps I'm reading things wrong, but this change seems to pass raw Context+Certificate+Signature to HMAC to compute Finished. Due to the way HMAC works, this requires to know the key for the MAC before one can start the pipe (I didn't look when it becomes available) and requires a separate pipe from ordinary transcript hash. Previously, Finished messages used the same transcript hash pipe as everything else using transcript hashing. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
