On Sat, Oct 31, 2015 at 11:29 PM, Ilari Liusvaara <[email protected]> wrote:
> On Sat, Oct 31, 2015 at 10:55:24PM +0900, Eric Rescorla wrote: > > Sam, > > > > Thanks for posting this. It's great to see people doing real formal > > analysis of the TLS 1.3 draft; this is really helpful in guiding the > design. > > > > This result motivates and confirms the need to modify the handshake > hashes > > to contain the server Finished when we add post-handshake authentication > > as is done in PR#316, which of course we'll be discussing in Yokohama. > > I'd be very interested in learning of the results you get when you model > > that. > > Looking at the issue at wider angle, this soundness hole appears anytime > handshake_messages and configuration do not jointly represent the static > secret (the inclusion of server Finished fixes it for client signature, > because server Finished represents the static secret). > > If TLS ever gets mode that combines that non-representation with static > server certificate auth (no idea what such mode could be), one gets > problems with server auth. I've been planning to do a big rewrite of the security "analysis" sections and while I don't think it's worth having a real analysis in the protocol (the literature is going to do a much better job here than we can), this seems like exactly the kind of thing that we do want to capture to explain the design and for future extensions. Thanks, -Ekr
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
