On 23 November 2015 at 12:56, Yoav Nir <ynir.i...@gmail.com> wrote: > It’s been suggested that as long as the CFRG signature curves document is not > finalized, we should wait with the eddsa_* ones. I don’t believe so. Anything > in any draft is subject to change up to the time it’s published [...]
In your opinion, do you see the semantics of the codepoints changing in any meaningful way? It's one thing to say "accept the risks", but if anyone thinks that there are necessary changes forthcoming, that would give me pause. If everyone says that it's highly unlikely, I'm supportive of the notion that we get a codepoint. Are we happy that we will only be needing the PureEdDSA variants and that no-one will be asking for the HashEdDSA versions? I ask because I've heard it suggested (I think Karthik mentioned this) that we might want to sign the transcript directly in TLS 1.3 rather than rely on collision-resistance of the selected hash function. That would be harder without access to HashEdDSA. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
