Dear all, Sorry about my audio quality issues: my laptop is a bit of a potato and there may have been some coupling from my mike via the table/directionality not as good as it should be.
My concern is that this protocol depends on things that TLS does not claim to provide like secrecy of public keys. E.g. if we used ECDSA it wouldn't work at all. Furthermore its not clear that these big modifications to the handshake really are the right way vs. a different key agreement. IMHO we need an actual formal analysis of this. Just because DPP did it, doesn't make it good. Even if the TLS handshake analysis shows that the handshake is secure if the underlying exchange is secure, it's not clear the underlying handshake is secure. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
