> On 23 Nov 2016, at 12:22, John Mattsson <john.matts...@ericsson.com> wrote:
>
> On 2016-11-21, 06:31, "TLS on behalf of Yaron Sheffer"
> <tls-boun...@ietf.org <mailto:tls-boun...@ietf.org> on behalf of
> yaronf.i...@gmail.com <mailto:yaronf.i...@gmail.com>> wrote:
>
>> So the key schedule changed and therefore we think cross-version attacks
>> are impossible. Have we also analyzed other protocols to ensure that
>> cross protocol attacks, e.g. with SSH or IPsec, are out of the question?
>>
>> Put differently, algorithm designers gave us a cheap, easy to use tool
>> to avoid a class of potential attacks. Why are we insisting on not using
>> it?
>
> Unless someone points out any major disadvantages with using a context, I
> agree with Yaron.
I’m not even sure what my position is on this. Specifying the use of a context
here goes against the recommendation in the CFRG draft:
Contexts SHOULD NOT be used opportunistically, as that kind of use
is very error-prone. If contexts are used, one SHOULD require all
signature schemes available for use in that purpose support
contexts.
If someone knows why this recommendation was made, that would be great.
However, three working groups are currently faced with this same decision: TLS,
IPsecME and Curdle. I think it would be weird if these three groups came up
with different answers to what is essentially the same question. At least for
TLS and IKE there are no operational differences either.
So Curdle, I’ve been told, is leaning towards empty context for Ed448 and no
OID for Ed25519ctx. IPsecME has a thread similar to this one (with similar
participants…)
Yoav
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
