On 30 December 2015 at 22:16, Ilari Liusvaara <ilariliusva...@welho.com> wrote: >> Would it make sense to have session hash as a requirement in TLS >> 1.2 when you want to use Curve25519? > > I don't think that is reasonable.
I think that is entirely reasonable. TLS 1.2 relies on contributory behaviour. 25519 doesn't provide that unless you do some extra checking that we know many implementations don't do. I'd be OK with either requiring session hash, some checking of values, or both. Otherwise we create a situation where the shared secret can be forced by an attacker. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
