Folks,

https://github.com/tlswg/tls13-spec/issues/224

At the interim we discussed whether it was worth having digital
signatures explicitly include the client and server random values
rather than just the transcript to enable privilege separation, as
proposed by Nikos. We had a little trouble getting clarity on the
desired use case, but the two we understood were:

1. Having a separate module which is signing for authentication
   and wants to explicitly provide a random value to ensure
   that it's not signing arbitrary data.

2. Having a separate module which is verifying the peer's authentication
   and wants to explicitly provide a challenge to be signed by the
   peer.

The general feeling was that you could achieve both cases by simply
the unprivileged portion of the system provide the module with the
handshake transcript and allow it to verify that the random
was present in the correct location (or at all in case #2) and so
that no change was needed.

As I said, there was some confusion on the exact scenario, so if
I've misunderstood please clarify. Otherwise, I think we have
consensus to close this as WONTFIX.

-Ekr
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to