On 2014-12-19 at 21:43 -0500, Sam Whited wrote: > Sounds good; step two is to convince TLS stack maintainers to actually > give us access to the client final message so we can do `tls-uniqe' > channel binding without resorting to bundling our own TLS stacks > (seriously; everything uses tls-unique for channel binding, and it seems > like very few stacks actually give you access to the info you need for it).
Probably because the Triple Handshakes Considered Harmful paper from earlier this year showed that using only the final message for channel binding was broken and vulnerable, so there are IETF drafts for fixes to TLS to provide something which actually offers a non-forgeable identity for channel binding but nothing concrete yet (when I last checked, which was a little while back now). https://secure-resumption.com/ -Phil
