Folks, https://github.com/tlswg/tls13-spec/issues/224
At the interim we discussed whether it was worth having digital signatures explicitly include the client and server random values rather than just the transcript to enable privilege separation, as proposed by Nikos. We had a little trouble getting clarity on the desired use case, but the two we understood were: 1. Having a separate module which is signing for authentication and wants to explicitly provide a random value to ensure that it's not signing arbitrary data. 2. Having a separate module which is verifying the peer's authentication and wants to explicitly provide a challenge to be signed by the peer. The general feeling was that you could achieve both cases by simply the unprivileged portion of the system provide the module with the handshake transcript and allow it to verify that the random was present in the correct location (or at all in case #2) and so that no change was needed. As I said, there was some confusion on the exact scenario, so if I've misunderstood please clarify. Otherwise, I think we have consensus to close this as WONTFIX. -Ekr
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
