With option (2) would the keys end up being independent anyway? I think we
might need to share the sequence number space between the handshake messages
and the application data messages to avoid truncation attacks. I might have
missed this, but was there a proposal to deal with sequence numbers
Just to be clear: the "+1" I sent earlier meant "I agree with Karthik" -- so it
means solution (2).
> On Jun 14, 2016, at 1:18 PM, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> Key reuse often ends up causing problems. IMHO a more sound approach is (2).
> IMHO it isn't
+2
Will Serumgard
> On Jun 14, 2016, at 4:22 AM, Watson Ladd wrote:
>
>
> On Jun 13, 2016 10:08 PM, "Karthikeyan Bhargavan"
> wrote:
> >
> > I prefer (2)
>
> Same. It's clear 1 makes proofs more complicated, making mistakes easier to
>
I am in favour of option (2).
Cheers
Ben.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
On Tue, Jun 14, 2016 at 11:33:11AM +0300, Yoav Nir wrote:
>
>
> (1)
+1
> One important (for me) use case for handshake messages after the
> original handshake is client certificate authentication. Disclosing
> that the user has just touched the magic resource that causes
> certificate
I also prefer (2).
Cheers,
Felix
On 14/06/2016 14:45 +0200, Cas Cremers wrote:
> It is not quite as simple as saying "(1) makes proofs more complicated"
> since it depends on what you are trying to prove.
>
> (1) makes some styles of standard AKE property proofs (key secrecy,
> authentication)
Peter Gutmann writes:
> Hubert Kario writes:
>
> >to be pedantic, the RFC describes itself "a profile" while in reality it
> >modifies the protocol in a way that will make it incompatible with "vanilla"
> >TLS 1.2 implementations
>
> Oh, right.
It is not quite as simple as saying "(1) makes proofs more complicated"
since it depends on what you are trying to prove.
(1) makes some styles of standard AKE property proofs (key secrecy,
authentication) harder
(2) might make some privacy proofs harder
Given that the proof-effort has mostly
Key reuse often ends up causing problems. IMHO a more sound approach is (2).
IMHO it isn't prohibitively expensive either.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
Original Message
From: Björn Tackmann
Sent: Tuesday, June 14, 2016 05:23
To: tls@ietf.org
s/it's/its/ in one place in your errata text, Aaron.
On Tue, Jun 14, 2016 at 5:04 AM, Aaron Zauner wrote:
> Hi,
>
> It's been a few weeks. We by now know of at least one other affected vendor.
> I think this errata is valid and should be accepted. I'll take any feedback
> and
+1
> On Jun 14, 2016, at 7:08 AM, Karthikeyan Bhargavan
> wrote:
>
> I prefer (2)
>
>> On 13 Jun 2016, at 22:27, Daniel Kahn Gillmor wrote:
>>
>> On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote:
>>> 1. Use the same key for
Hi dkg,
sorry for my late response.
Let me start by saying that I do not believe that this is really critical;
after all, we can prove alternative (1) as well — it’s just less clean and
makes the proofs harder to write, read, and verify, which is generally not a
good thing for a cryptographic
On 13 June 2016 at 21:27, Daniel Kahn Gillmor wrote:
> On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote:
>> 1. Use the same key for handshake and application traffic (as in the
>> current draft-13)
>>
> > or
>>
>> 2. Restore a public content type and different keys
> On 13 Jun 2016, at 10:00 PM, Joseph Salowey wrote:
>
> For background please see [1].
>
> Please respond to this message indicating which of the following options you
> prefer by Monday June, 20, 2016
>
> 1. Use the same key for handshake and application traffic (as in
14 matches
Mail list logo