On Wed, Nov 04, 2015 at 06:30:26AM -0500, Watson Ladd wrote: > This draft needs to say that Curve25519 can only be used along with > extended master secret. Alternatively we can completely remove the > cofactor and reject zero keys.
X25519 and X448 specifications say zero keys MUST be rejected (and the functions are also internally specified to clear the cofactor). -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
