On Sun, Jan 10, 2016 at 07:53:08PM -0800, Joseph Salowey wrote: > Please respond if you have concern about early code point assignment for > the curves listed in draft-ietf-tls-curve25519-01 > <https://tools.ietf.org/html/draft-ietf-tls-curve25519-01>.
Wasn't that document effectively merged to RFC4492bis? Also, one contention point in recent thread has seemed how to deal with THS. Basically, in the basic variant, there is a check (specified as MUST) that partially mitigates THS (without EMS) to the level of P-256 (and to level stronger than P-384 for X448). But if omitted, THS attacks are easy (assuming no EMS). I did look at if it would be possible to modify PMS derivation to render it immune to THS without requiring any checks nor touching MS derivation. The answer turned out to be negative (through some variants, like the SHA512(A|B|DH(A,B)) one were impossible to exploit given some reasonable-sounding extra assumptions).. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
