I noticed some confusion today about the topic of ambiguous transcripts in cTLS. My claim was not that any single cTLS profile has an ambiguous transcript. If such a thing were true, I believe that would be a bug in the cTLS specification.
Instead, I was trying to highlight the concern of "profile confusion" attacks, in which an attacker is able to convince the two parties that different profiles (with the same ID) are in use. In these cases, the two parties can verify their agreed-upon transcript, but interpret it differently, which could lead to vulnerabilities. Including the "template" in the transcript rules out these attacks. However, this protection depends on the use of a strong transcript hash in the Finished message, and shortening or omitting this hash has also been discussed. As you can see, there are still many interesting open questions related to cTLS. --Ben
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
