On Tue, Mar 21, 2017 at 05:13:23AM -0700, Eric Rescorla wrote: > On Tue, Mar 21, 2017 at 2:45 AM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > > I believe that OpenSSL is correct. Note that this construction already > appeared in the computation for the binder keys in -18 and I believe that > everyone interpreted it as the hash of the empty string. > > I think that's more natural given the notation, because Derive-Secret > explicitly hashes the input, whereas HKDF-Expand-Label is defined > as using "" = means a 0-length hash. If people think we should adopt > your interpretation, I think we would need to special-case the notation, > which of course isn't the worst thing in the world. > > Maybe we should update the draft, though.
Ah, I was confused by the note about zero-length HashValue. It applies to just HKDF-Expand-Label, but I read it to also apply to Derive-Secret (and given how code is structured, it didn't create obvious edge case in code). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
