This draft continues to have security issues when used in TLS 1.2. An attacker can mount triple-handshake by using points of small order on Curve25519, generating zero on both sides. This draft needs to say that Curve25519 can only be used along with extended master secret. Alternatively we can completely remove the cofactor and reject zero keys.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
