On Thu, Jul 14, 2016 at 11:32:00AM +0300, Ilari Liusvaara wrote: > > I was thinking of just scanning the server key_share in order the groups > appear... With no mixing if no key_share is absent. > > This would unify DHE-PSK and PSK for purposes of later handshake. > > Would need a way to ensure that some mixing happened tho!
Thinking some more about this: - The initial value for the chain secret should be empty string, not L zeroes. If hash function is well-behaved (and most are), then empty and L zeroes are the same if passed as salt to HKDF-Extract, but empty string would cause an internal fault in derive_secret. - One should ensure that the default type is "certificate authentication" and that this can't be changed without mixing in a secret. - One needs to require that at least one secret mixing occurs in processing of CH/SH. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
