> > I mean, is there a cryptographic reason for it?
No. > (However, absent cryptographic reasons, this all is way premature.) > Indeed. We like to have a concrete proposal, but thinking through these details is premature at this point. [snip] What that in effect does > is to make it much more difficult to exploit chosen-prefix collisions in > hash function. However, that requirement holds irrespective of the hash function used, and it has in fact been held for SHA-256 (regardless of there not being > any known even remotely feasible attacks) instead of just being a dead > letter from the past with much worse hash functions. > Ah, it would indeed be neat if we could design this, so that we do not require (chosen prefix) collision resistance of the hash. I'd say it's nice to have, but not a must. Tracking in https://github.com/davidben/merkle-tree-certs/issues/45 Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
