Sorry, I think you lost me there. Can you rephrase? -Ekr
On Thu, May 19, 2016 at 12:35 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Thu, May 19, 2016 at 12:13:45PM -0700, Eric Rescorla wrote: > > On Thu, May 19, 2016 at 12:11 PM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > > > > > On Thu, May 19, 2016 at 10:41:16AM -0700, Eric Rescorla wrote: > > > > > > Just one thing to be careful of: If one has off-handshake counter- > > > keys[1] (like the now-removed GDH 0-RTT mode had), one needs to hash > > > those in, or one gets all kinds of crypto screw (which may or may not > > > be actually exploitable...) > > > > > > The "context identifier" looks real handy for that purpose.. > > > > > > Yep. We were thinking that too! > > > > > > Thanks for the quick look. > > In very quick'n'dirty security analysis the other thing I noticed was > that if server handshake needs something to be nonce w.r.t. "SS", (e.g. > happens in GDHE-PSK-CERT modes MT posted I-D about), you need contexts > anyway, even with just "SS" being PSK. > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls