On Wed, Jul 31, 2019, at 13:54, Ben Schwartz wrote: > The batch signing idea is very cool. I'm not entirely sure I understand > the intended use case, though. The intro suggests that this motivated > by DoS defense, but presumably an attacker who controls their own TLS > client stack could simply omit support for these signature schemes. Do > you envision a future where servers can safely omit support for all the > non-batch signature schemes? Or are you thinking of attackers who don't > control the TLS client stack?
The usual trick when under duress is to attempt to process some requests, and lowering the cost of handling those requests enables higher tolerance to attack and better continuity of service. A server might choose not to serve clients that don't offer batching if it is stressed. > Minor question: in the tree diagrams, m2 goes to t04. Is there any > reason it couldn't go directly to t12? That would seem more natural to > me. The blinding process is explained in Section 4.3. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
