On Sat, Oct 31, 2015 at 10:55:24PM +0900, Eric Rescorla wrote:
> Sam,
> 
> Thanks for posting this. It's great to see people doing real formal
> analysis of the TLS 1.3 draft; this is really helpful in guiding the design.
>
> This result motivates and confirms the need to modify the handshake hashes
> to contain the server Finished when we add post-handshake authentication
> as is done in PR#316, which of course we'll be discussing in Yokohama.
> I'd be very interested in learning of the results you get when you model
> that.

Looking at the issue at wider angle, this soundness hole appears anytime
handshake_messages and configuration do not jointly represent the static
secret (the inclusion of server Finished fixes it for client signature,
because server Finished represents the static secret).

If TLS ever gets mode that combines that non-representation with static
server certificate auth (no idea what such mode could be), one gets
problems with server auth.


-Ilari

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to