On 04/16/2017 01:42 PM, Eric Rescorla wrote: > https://github.com/tlswg/tls13-spec/pull/950 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_tlswg_tls13-2Dspec_pull_950&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=BjaFsdt8oZioHhmwlbgMF3WDFeiFsVIRexCKXzHIAUc&s=t6YKj0u1crtFYnjfk8z-a1r1HtpZNW0t5dnZGwUQIWY&e=> > > Target merge date: Tuesday > > I have just posted PR#950, which recommends that servers generate > unpredictable > context values for CertificateRequest in post-handshake client > authentication. This > prevents attacks in which an attacker who has temporary access to the > client's > private key can forge valid CertificateVerify messages. > > Note that this is not an enormously large improvement because an > attacker who > has temporary access the private key can do a bunch of other stuff, > like forging > a complete handshake message, but I can imagine some artificial scenarios > where it might be useful, for instance if the user's private key is an > HSM and > so the attacker has permanent control of the user's machine but can't > get him > to generate an arbitrary number of private key operations without > detection. > > Unless I have missed something, this seems like harmless advice, so I tend > to think we should add it. Comments welcome >
Sounds like a good idea. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
