On Sat, Oct 31, 2015 at 10:55:24PM +0900, Eric Rescorla wrote: > Sam, > > Thanks for posting this. It's great to see people doing real formal > analysis of the TLS 1.3 draft; this is really helpful in guiding the design. > > This result motivates and confirms the need to modify the handshake hashes > to contain the server Finished when we add post-handshake authentication > as is done in PR#316, which of course we'll be discussing in Yokohama. > I'd be very interested in learning of the results you get when you model > that.
Looking at the issue at wider angle, this soundness hole appears anytime handshake_messages and configuration do not jointly represent the static secret (the inclusion of server Finished fixes it for client signature, because server Finished represents the static secret). If TLS ever gets mode that combines that non-representation with static server certificate auth (no idea what such mode could be), one gets problems with server auth. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
