Hi, all
As mentioned in Tuesday's session, Ed448 and Ed25519ctx add a new parameter to
the signature function: a context string. Setting this string to a different
value for each application (where application could be "PKIX", "TLS", "IKE")
leads to different results and thus a signature made in one context does not
validate in another context. This reduces the attack surface for attacks
involving signing oracles.
The CFRG draft suggests that "contexts SHOULD NOT be used opportunistically, as
that kind of use is very error-prone. If contexts are used, one SHOULD require
all signature schemes available for use in that purpose support contexts". As I
don't think this WG is ready to deprecate RSA, DSA, and ECDSA in one fell
swoop, I think we should not use contexts.
So I suggest to add the following sentence at the end of the fifth paragraph
section 5.10 ("All EdDSA computations MUST be performed...") of the rfc4492bis
draft:
The context parameter for Ed448 MUST be set to the empty string.
Comments?
Yoav
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
