Martin Thomson <martin.thom...@gmail.com> wrote: > On 23 December 2015 at 10:23, Brian Smith <br...@briansmith.org> wrote: > > It may be the case that TLS requires contributory behavior and point > > validation is still unnecessary. Or, it may be the case that TLS doesn't > > really require contributory behavior (though, it seems obvious to me > that it > > does, at least for TLS 1.2 and earlier). Or, it may be the case that TLS > > requires contributory behavior and a check is necessary. The draft should > > make it clear which case we are dealing with, with a reference to the > > reasoning that gave us whatever conclusion is reached, but currently > that is > > missing. > > My understanding is that with session hash TLS 1.2 is OK, as is 1.3. > Like Watson and Thai, I think that 1.2 without session hash is not OK. > > That suggests that the 25519 draft should require session hash in 1.2. >
If an implementation only implements ECDHE cipher suites then implementing the session hash extension is not necessary, according to RFC 7627. I believe there are also a few other factors that would implementing the session hash extension to be unnecessary. If checking that the shared value isn't zero is sufficient, and/or blacklisting the public values that DJB mentions in [1] is sufficient, either would be better than mandating the implementation of the session hash extension just for this purpose. [1] http://cr.yp.to/ecdh.html#validate Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
