On Thu, Feb 25, 2016 at 08:05:58AM -0800, Shin'ichiro Matsuo wrote: > > ------------------------------------- > > [What's checked] > We checked the TLS draft-11 full handshake protocol for the following two > properties. > * Secrecy of payload: Can the attacker know the encrypted payload? > * Authenticity: Can the attacker impersonate the server?
I think the following should be checked as well (once the relevant definitions are available): - signed TLS-EXPORTER results can be used for authentication. - TLS-EXPORTER results can be used as secure encryption keys. There are many pieces of sofware that rely on those two properties. Also, reading the .pv file, it seems like only 1-RTT GDHE-CERT mode is verified, not GDHE-PSK nor PSK nor any kind of 0-RTT mode. (And then there are possibly even worse problems with usage... Not that I know what's the "correct" model there). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
