Kurt Roeckx <k...@roeckx.be> wrote: > On Tue, Dec 29, 2015 at 10:10:47PM +0200, Karthikeyan Bhargavan wrote: > > As mentioned before, validating Curve25519 public values is necessary in > TLS 1.2 without session hash. > > Otherwise, as we pointed out in [1], the triple handshake attack returns. > > Would it make sense to have session hash as a requirement in TLS > 1.2 when you want to use Curve25519? >
I think it is a good idea to implement the session hash extension, in general. However, I think it is a bad idea to prescribe it as the solution for this particular problem because: 1. draft-irtf-cfrg-curves-11, in sections 6.1 and section 6.2 already require the check for a non-zero result, and that check is sufficient. 2. It is easy to make an automated test that verifies that an X25519/X448 implementation implements the non-zero check. Adding an automated test for conditional enabling of them based on the presence of the session hash extension is much harder. 3. It is much less error-prone to implement the non-zero result check than to make the availability of X25519/X448 depend on whether or not the session hash extension is implemented. Experience, e.g. [1], has shown that such conditional enabling is error-prone. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=919677 Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
