On Wed, Aug 17, 2016 at 02:49:52PM -0700, Eric Rescorla wrote:
> Folks,
>
> I've just submitted draft-ietf-tls-tls13-15.
Doing brief review:
- Section 4.2.2 talks EdDSA using "ECDSA cipher suites". TLS 1.3 does
not have those. However, this kind of information is very relevant
for TLS 1.2 ba
On Wed, Aug 17, 2016 at 03:09:51PM -0700, Eric Rescorla wrote:
> Issue:
> https://github.com/tlswg/tls13-spec/issues/555
>
> ADL suggested that we could slightly reduce the number of HKDF
> computations by generating the IVs as a single block rather than
> with individual HKDF-Expands. You can't
Amusingly, Keith and I appear to have crossed mid-air in our respective
requests to change KeyUpdate, so this will be a fun collision. Mine is a
tad larger of a change I'm afraid.
We've currently implemented KeyUpdate in our in-progress TLS 1.3 code, but
we've for now ignored the requirement for t
On Wed, Aug 17, 2016 at 4:08 PM, Brian Smith wrote:
> Eric Rescorla wrote:
> > Issue:
> > https://github.com/tlswg/tls13-spec/issues/555
> >
> > ADL suggested that we could slightly reduce the number of HKDF
> > computations by generating the IVs as a single block rather than
> > with individu
Eric Rescorla wrote:
> Issue:
> https://github.com/tlswg/tls13-spec/issues/555
>
> ADL suggested that we could slightly reduce the number of HKDF
> computations by generating the IVs as a single block rather than
> with individual HKDF-Expands. You can't generally do this kind
> of slice-and-dic
In general one has to generate the directional traffic keys independently
due to read/write epochs changing at different times, so I'd prefer it left
as is. (In BoringSSL, we also generate the directional keys independently.
I'd often wished that TLS 1.2 was the same.)
The switch from handshake to
The intention here was to compensate for not having psk_identity_hint.
However, it also allows you to do resumption of PSK-established sessions.
It would be a fairly significant simplification to say you could only have
one PSK, because then we could easily require the client to prove knowledge
of
Issue:
https://github.com/tlswg/tls13-spec/issues/555
ADL suggested that we could slightly reduce the number of HKDF
computations by generating the IVs as a single block rather than
with individual HKDF-Expands. You can't generally do this kind
of slice-and-dice and preserve the key boundary, bu
Is there any support for either of the following ideas:
1) moving the OCSP and SCT server extensions to inside the Certificate
message
2) removing post-handshake client authentication from TLS 1.3 in favor of
dedicated and more detailed draft
On Sun, Aug 7, 2016 at 11:42 PM Martin Thomson
wrot
Folks,
I've just submitted draft-ietf-tls-tls13-15.
The major change in this document is the new negotiation syntax as
discussed in Berlin. There are also a number of small tweaks (see
ChangeLog below).
Remaining significant issues:
#588: The computation of the resumption context with external
Peter Gutmann writes:
> Viktor Dukhovni writes:
>
> >There's no guess, the client sends its full list of supported
> >groups, and the server picks the one it likes.
>
> ... and if the client doesn't get it exactly right, the server has to fall
> back to RSA rather than use another DHE suite of
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Transport Layer Security of the IETF.
Title : The Transport Layer Security (TLS) Protocol Version
1.3
Author : Eric Rescorla
Filename
Peter, so your complaint is about the lack of support for explicitly
specified (non-"named") groups? That's completely intentional, see the
RFC's abstract. (It *shouldn't* be that much of a problem that the server
might be using a ill-chosen group, because if the server does dumb things
we can't sa
Viktor Dukhovni writes:
>The client is expected to send a complete list of *all* the groups it
>supports if it supports (any of) the new designated groups. Which means that
>clients that support these groups will use only these groups with servers
>that likewise suppose these groups, and will not
14 matches
Mail list logo
