On Mon, Jul 18, 2016 at 06:03:08PM +0200, Eric Rescorla wrote: > On Mon, Jul 18, 2016 at 5:07 PM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > I think the end result was insane. The problem that makes it so difficult > > is that legacy signature types, group types and protection/PRFs interact, > > so not all supported offers that server has enabled are actually possible > > to chose. > > > > Can you say more about this?
I was referring to the scheme in TLS 1.2 and 1.3-14. The problem is, that even if X is "locally" possible (enabled on both sides, the algorithm and its "class" is advertised) does not guarantee that X is "globally" possible (there is actual configuration using X that meets all TLS constraints and algorithm enables). > I spent some time mocking up an implementation locally and it was pretty > clean. > > Perhaps what made it easier is that I did: > > 1. Define new cipher suites that were totally agnostic about the key > exchange and signature. > > 2. Assume everything was orthogonal except for the PSK/signature/key > exchange interaction... Both should eliminate the really nasty parts, as it would mean that unless server wanted to, any X is "locally" valid is also "globally" valid. Modulo key exchange types, but those aren't that bad usually. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
