On Tue, Nov 15, 2016 at 4:16 PM, Watson Ladd <watsonbl...@gmail.com> wrote:
> Hello, > > There has been a lot of chatter on Gitub about point validation. I think > it's important to note that in TLS 1.3 the Triple Handshake variants > enabled by small subgroup attacks are no longer a threat: the issue is > reuse of ephemeral Diffie-Hellman exponents, resulting in compromise of > what is effectively a long-term key. > > I would want a belt and suspenders approach: no use of ephemeral > exponents, > Just to clarify, you mean "no reuse", right? -Ekr > and validation that points are on the curve. Order validation is > unnecessary as the cofactor is small: in cases where it is not the curve > probably shouldn't be used without a good reason, and I can't think of any. > > I know one implementation does keep ephemeral exponents indefinitely. This > implementation also validates orders, which equals the expense of not > regenerating ephemeral exponents. > > Sincerely, > Watson > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
