On Wed, Jul 31, 2019 at 3:35 AM Ilari Liusvaara <[email protected]> wrote:
> On Mon, Jul 29, 2019 at 08:15:44PM -0400, David Benjamin wrote: > > Hi all, > > > > I’ve just uploaded a pair of drafts relating to signatures in TLS 1..3. > > https://tools.ietf.org/html/draft-davidben-tls13-pkcs1-00 > > https://tools.ietf.org/html/draft-davidben-tls-batch-signing-00 > > > > The second describes a batch signing mechanism for TLS using Merkle > trees. > > It allows TLS clients and servers to better handle signing load. I think > it > > could be beneficial for a number of DoS and remote key scenarios. > > Why is the context string same for clients and servers? The base TLS > 1.3 signatures use different context strings for client and server. > I don't think it's necessary here. The existing separation between client and server in the base TLS 1.3 signatures is preserved here because the input messages include their respective context strings. And if we do TLS 1.4 with its own context string, that'll get picked up too. > What is the hash length of SHAKE256 in Ed448_batch? 512 bits (64 > octets) required to saturate the collision resistance? > Ah, right. Yeah, let's say 512 bits / 64 bytes. I'll incorporate that into the next version of the draft. > "to a random byte of string of" in section 3.1, should that be > "to a random byte string of"? > Oops, thanks! Fixed in local copy. David
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
