On Mon, Nov 23, 2015 at 02:20:15PM -0800, Martin Thomson wrote: > On 23 November 2015 at 14:08, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > Also, the prehashes might not be the same for Ed25519ph and Ed448ph, > > plus I consider interfaces that let one use this dangerous (IUF > > signing is dangerous!). > > That suggests that the construction of CertificateVerify is dangerous > in the same way, doesn't it?
The problem is that in general, one must not act on invalid data (and IUF signatures positively encourage acting on invalid data), but in case of TLS CertificateVerify, one is expected to act on data, even if invalid, and TLS protocol is designed with that in mind. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls