On Wed, Dec 30, 2015 at 4:03 PM, Brian Smith <br...@briansmith.org> wrote:
> I think it is a good idea to implement the session hash extension, in > general. However, I think it is a bad idea to prescribe it as the solution > for this particular problem because: > > 1. draft-irtf-cfrg-curves-11, in sections 6.1 and section 6.2 already > require the check for a non-zero result, and that check is sufficient. As discussed on the CFRG list, the plan is that the final curves RFC will say that the zero check is a MAY. (See https://www.ietf.org/mail-archive/web/cfrg/current/msg07611.html) I don't mind if the integration of curve25519 in TLS requires a zero-check or not, but what property are people hoping to gain? If one wants to avoid triple-handshake like issues then session-hash is the answer. A client can use an RSA key exchange to control the PMS completely, of course, and, with finite-field DH, a value of zero or p-1 will usually allow the same. Cheers AGL _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
