On 16/11/16 12:41, Paul Wouters wrote:
On Nov 16, 2016, at 10:49, Yoav Nir <[email protected]> wrote:
So I suggest to add the following paragraph at the end of section 2 of the
eddsa draft:
The context parameter for Ed448 MUST be set to the empty string.
I agree. Context seems useful for generic crypto but not for something that is
already strongly bound by an IETF transport protocol.
Additionally, we have a similar problem too when allowing the same key in IKEv1
and IKEv2 where the key has different security properties.
Paul
I don't think there's any cost to having a non-empty context string,
e.g. "IKEv2", and there's potentially value. TLS cross-protocol attacks
show that signatures can be abused even when embedded in a transport
protocol.
The fact that we have the same problem elsewhere is no reason to
propagate it further.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
