While reading/implementing draft-ietf-tls-exported-authenticator I came across the following:
1) The exporter labels are the opposite way around for handshake contexts and finished keys, which makes little sense. The text seems to imply that the finished key label the client uses for sending is "EXPORTER-server authenticator finished key". 2) In TLS 1.2, even if TLS PRF is not used, the hash function that absolutely must exist is called "the hash function to use in the Finished message computation" or "the hash function defined for the Finished message computation" (and if TLS PRF is used, this hash is the same hash function as the one underlying TLS PRF). TLS 1.3 is less consistent: - "the Hash algorithm for the handshake" (4.4.4) - "KDF hash algorithm" (4.6.1) - "the cipher suite hash algorithm" (7.1) - "the [...] hash algorithm to be used with HKDF" (B.4) ... All those apparently refer to one and the same thing. 3) What is the Hash() in "Hash(Handshake Context || Certificate)" and "Hash(Handshake Context || Certificate || CertificateVerify)" ? I presume it is the same hash as the one took the output length of in 2). 4) What is "the hash function from the handshake" exactly? I presume it is the same hash as in 3). 5) Test vectors would be nice (use some deterministic signature, like Ed25519)... I have one set of vectors I dumped from my implementation, but no idea if those are correct (for example, I assumed that the handshake context and finished labels are the same way around, and the hash for points 2 to 4 is the hash function defined for the Finished message computation in the TLS connection the authenticator is to be created from). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
