On Wed, Feb 24, 2016 at 10:08:02AM -0800, Martin Thomson wrote: > On 24 February 2016 at 10:00, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > Be careful with that: One can get server impersonation attacks unless > > one somehow binds the SS into signature (and unlike with client sigs, > > there is no straightforward way). > > The key schedule, in every variation I've seen proposed, does that.
The server signature is essentially over raw handshake messages, up to and including ServerCertificate. The first message that would depend on actual value of SS is ServerFinished, which comes after that point... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
