-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2015-12-31 03:30, Adam Langley wrote:
> I don't mind if the integration of curve25519 in TLS requires a > zero-check or not, but what property are people hoping to gain? If > one wants to avoid triple-handshake like issues then session-hash > is the answer. (I have a terrible cold, so apologies if I am less than coherent!) I think I prefer this, of the available options. Specify that: • Both client and server MUST abort if X25519 and/or X448 are offered/chosen but session_hash is not; • Explain why in Security Considerations; • Test as part of interop/unit tests? Zero checks are more likely to be omitted in practice because all the implementations out there already do that and don't return a value. And it's not something the peer would notice in normal operation. Watson's approach might work too, but of the available options I think ensuring the transcript is hashed is the most robust with respect to any future attacks. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWhMnAAAoJEOyEjtkWi2t6wZsQAJk767t5ZE28uDYsSCT1fS9u z6szG2xGnq6jc4T40AZEWeabs9j0n15MZHvFkxQwmtF00dUspIrcRzpct8hXkx0K q83rotDKGIiCU9K9a6E4Xas/cxxQ8LDTtB937PsyOIpzPOe/fXHu+KTIgtrLL7Cb OefYyGf7ymRVm0UP9IrIkK99enu0HPuMjqcDdKfW9JVAvb+jgfTyO+qDipYtH8s0 jo3HhCsMiCJlxFaI32viREW/Jcwu4cyttjCvgOPCQUmJ3TQdAC1ucWXpNHgRp07y RY3+TJfNx9tmmgOoXvGox67hoKKvFaSO8ckqhXrG/V46xLP2FNDEEsaGd0cuKeEb 7T+/0ae9/mzQm3PYhpufU+FiroTDUuYKvjTHfzEY7xPjjpeQT/OdqyrEseJqFfCC sCKQQPx40vg1dwU6pJ7KyCEJ14RVY5rXmhvkKjGnfI5tziykKibMnqF1MbPh/BK/ L35fQyeJVb6rAaL8iPJx/ilvdJDESAgWic/UooywWkU8HrH6FAXiIV6i1BmkscXn e3yQB55SVYHv+yPfcNJAyZDXYVln6EoFwVU3rjYxcnAib2z52m2HOyh7NjrBpvVx 8CuIxU+FytE8BUrkayciOS2AFvGUIsf0c/eogDX9A10U6pOoFCRigLRYKFgRbJ3l M19UbePdsDBYgnd5sEel =CRt3 -----END PGP SIGNATURE----- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
