On Thu, Sep 24, 2015 at 04:03:28PM +0200, Nikos Mavrogiannopoulos wrote: > On Thu, 2015-09-24 at 15:27 +0300, Ilari Liusvaara wrote: > > > 4) For TLS PoP signatures, does it make sense to use HashEdDSA at > > all? > > Another way would to always use PureEdDSA and perform hash separtion > > from TLS side (e.g. sign(privkey, hash_func_id|H(tbs_data))). > > The certificate signatures are different matter tho, since CAs use > > HSMs for signing (those HSMs tend to be rather beefy, but still). > > The problem with the PureEdDSA is that if you use a smart card or an > HSM (both common for TLS), you have to transfer lots of data to them, > something that may render it not really useful.
Well, hash_func_id|H(tbs_data) is 33-65 bytes for most nontrivial hashes. In TLS 1.3 Editor's copy, tbs_data itself is <150 bytes (but there will be changes to merge certificate and its verify, which will presumably enlarge that a bit, but still maybe <200 bytes). I presume if TLS PoP can use HashEdDSA keys, then the TLS HashAlgorithm MUST equal HashEdDSA prehash (and with current proposed kinds, that would always be 6 => SHA-512). > Also the PureEdDSA in most implementations it requires a new API for > signing. Oh yes, the old bad PKCS#11 signature API that takes online signing model... Nevermind most of the time verification is offline (TLS is actually one of the few exceptions). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls