On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote: > > On 31 December 2015 at 17:54, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > Zero checks can already be unit-tested/interop-tested just as well. > > > > > > What ekr said applies, but also this: > > I thought the ekr's point was that if you need THS resistance, you > require EMS. If you don't, not much point worrying what properties > individual key exchanges have. > I think I was trying to say *almost* this: Namely that given that we have existing mechanisms that rely on EMS for THS resistance, and most stacks will continue to use them, then it's easier to just require EMS. > Yes, you can test that a given implementation does the right checks, > > but you won't be checking during normal operation. If you require > > session-hash, then every handshake includes that check and if someone > > messes up, the handshake just fails. That far more visible. > > I don't think the parts that actually matter are tested in normal > use. Unless you mean deimplementing entiere old TLS master secret > derivation... What I was suggesting was that: 1. Implementations which support old algorithms need to have EMS for THS resistance already. 2. Implementations which only do new algorithms can mandate EMS and not implement old derivation at all, provided we make that a rule here. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
