On Wed, Dec 30, 2015 at 11:52:07AM +0100, Kurt Roeckx wrote: > On Tue, Dec 29, 2015 at 10:10:47PM +0200, Karthikeyan Bhargavan wrote: > > As mentioned before, validating Curve25519 public values is necessary in > > TLS 1.2 without session hash. > > Otherwise, as we pointed out in [1], the triple handshake attack returns. > > Would it make sense to have session hash as a requirement in TLS > 1.2 when you want to use Curve25519?
I don't think that is reasonable. The RFC4492bis document could point out the consequences of omitting the zero check (which is already REQUIRED) in the security considerations tho. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
