Dan Brown <[email protected]> 于2020年9月10日周四 下午11:18写道:
> *From:* TLS <[email protected]> *On Behalf Of *Salz, Rich > > Do we need a short RFC saying “do not use static DH” ? > > > > Don’t TLS 0-RTT and ESNI/ECH via HPKE use a type of (semi)static ECDH? If > so, then an RFC to ban static (EC)DH in TLS would need to be very clear > about not referring to these use cases of static ECDH. > "should not use (semi)static DH for session key agreement scenario" ? "may use (semi)static ECDH for no forward security requirement 0-RTT scenario" ? > > My 2c. What about combining static ECDH (instead of signatures) with > ephemeral ECDH, e.g. for more fully deniable authentication? (ECMQV does > this.) (Perhaps this is also similar to the KEMTLS proposal for PQC, > https://ia.cr/2020/534 - still need to study that.) > > > ------------------------------ > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be unlawful. > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
