On Thu, Dec 31, 2015 at 1:23 AM, Alyssa Rowan <a...@akr.io> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 2015-12-31 03:30, Adam Langley wrote: > >> I don't mind if the integration of curve25519 in TLS requires a >> zero-check or not, but what property are people hoping to gain? If >> one wants to avoid triple-handshake like issues then session-hash >> is the answer. > > (I have a terrible cold, so apologies if I am less than coherent!) > > I think I prefer this, of the available options. Specify that: > > • Both client and server MUST abort if X25519 and/or X448 are > offered/chosen but session_hash is not; > • Explain why in Security Considerations; > • Test as part of interop/unit tests?
I think the above sets up a situation where the safer curves are tied to 0-RTT and friends. I'm pretty sure any configuration under my purview will *not* have 0-RTT enabled. My servers will *not* be consuming data before it has been authenticated. I can only say I'm "pretty sure". I won't know for certain until I actually step the code under a debugger and see what is being consumed in the negative cases. My apologies if I am parsing it incorrectly or going against the grain. Jeff _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
