Hi, all As mentioned in Tuesday's session, Ed448 and Ed25519ctx add a new parameter to the signature function: a context string. Setting this string to a different value for each application (where application could be "PKIX", "TLS", "IKE") leads to different results and thus a signature made in one context does not validate in another context. This reduces the attack surface for attacks involving signing oracles.
The CFRG draft suggests that "contexts SHOULD NOT be used opportunistically, as that kind of use is very error-prone. If contexts are used, one SHOULD require all signature schemes available for use in that purpose support contexts". As I don't think this WG is ready to deprecate RSA, DSA, and ECDSA in one fell swoop, I think we should not use contexts. So I suggest to add the following sentence at the end of the fifth paragraph section 5.10 ("All EdDSA computations MUST be performed...") of the rfc4492bis draft: The context parameter for Ed448 MUST be set to the empty string. Comments? Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls