> On 24 Jan 2016, at 2:47 AM, Michael StJohns <m...@nthpermutation.com> wrote: > > On 1/23/2016 2:13 PM, Joseph Birr-Pixton wrote: >> Hi, >> >> I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA. >> >> For discussion, here's a pull request with possible language: >> >> https://github.com/tlswg/tls13-spec/pull/406 >> >> Cheers, >> Joe >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > Correct me if I'm wrong but: > > 1) A receiver of an deterministic ECDSA signature verifies it EXACTLY like > they would a non-deterministic signature. > 2) A receiver of an ECDSA signature cannot determine whether or not the > signer did a deterministic signature. > 3) A TLS implementation has no way (absent repeating signatures over > identical data) of telling whether or not a given signature using the client > or server private key is deterministic.
I might be missing something, but if k is deterministic, do we really need to send it? Can’t the receiver figure it out the same way that the sender did? I know that makes it break compatibility, but since this is TLS 1.3 anyway, that’s not an issue, I think. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
