On Sunday, July 03, 2016 07:02:05 pm Eric Rescorla wrote: > This seems reasonable, as the > only real argument against is that conformant TLS 1.3 servers will have > only 20 bytes of entropy when doing TLS 1.2 compat (if they put the time in > the top 32 bytes), as opposed to 24 if they randomize the first 32 bytes.
to correct the typo: 32 bits / 4 bytes; total size of random is 32 bytes / 256 bits > OTOH, those bytes will be more unique over time (because they are > guaranteed not to repeat for a very long time after the second has passed), > so intuitively this seems like a wash. Under the "Reevaluate handshake contents" part of the current TLS WG charter [0], we have the question: "Are bigger randoms required?". Did the WG ever fully discuss this and come to a decision? Adding a supplemental entropy extension would be trivial, if we wanted to do so. (I see there was consideration of doing so a while ago [1].) Amending the TLS 1.3 spec to add it as a requirement would be easy, but would it be useful? If we want to allow 2 hacks in the current random value that reduce the entropy, then adding some entropy back in an extension makes some sense. (If this was already settled at some point, please just point me to wherever that was. I might've just forgotten. ;) Dave [0] https://datatracker.ietf.org/wg/tls/charter/ [1] https://tools.ietf.org/html/draft-rescorla-tls-extended-random-02 _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
