On Sat, Oct 31, 2015 at 11:29 PM, Ilari Liusvaara <[email protected]>
wrote:

> On Sat, Oct 31, 2015 at 10:55:24PM +0900, Eric Rescorla wrote:
> > Sam,
> >
> > Thanks for posting this. It's great to see people doing real formal
> > analysis of the TLS 1.3 draft; this is really helpful in guiding the
> design.
> >
> > This result motivates and confirms the need to modify the handshake
> hashes
> > to contain the server Finished when we add post-handshake authentication
> > as is done in PR#316, which of course we'll be discussing in Yokohama.
> > I'd be very interested in learning of the results you get when you model
> > that.
>
> Looking at the issue at wider angle, this soundness hole appears anytime
> handshake_messages and configuration do not jointly represent the static
> secret (the inclusion of server Finished fixes it for client signature,
> because server Finished represents the static secret).
>
> If TLS ever gets mode that combines that non-representation with static
> server certificate auth (no idea what such mode could be), one gets
> problems with server auth.


I've been planning to do a big rewrite of the security "analysis" sections
and while I don't think it's worth having a real analysis in the protocol
(the literature is going to do a much better job here than we can), this
seems like exactly the kind of thing that we do want to capture to
explain the design and for future extensions.

Thanks,
-Ekr
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to