On Tuesday 22 March 2016 09:55:07 Peter Gutmann wrote: > Hubert Kario <hka...@redhat.com> writes: > >it doesn't explain where this "RSA-SHA-256" is used. IMHO it is > >ambiguous. > > > >The "no MAC truncation" is also not explicit about what the sizes > >should be. > Well can you suggest some wording? I can't see how much more > unambiguous a statement like "no MAC truncation" can be.
The Finished hash comes from PRF, which in turn comes from P_hash construct which has practically unlimited output. The MAC is not truncated there, the PRF output is, because it must be, as it is defined. I was thinking of something like the following: The length of verify_data (verify_data_length) in the Finished message MUST be equal to the length of output of the hash function used as the basis of the PRF selected for the ciphersuite. That is, in case of SHA-256 based PRF 32 octets MUST be used. This overrides the requirement from Section 7.4.9. of RFC 5246 that all ciphersuites defined at that time have verify_data_length of 12. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
