Nico Williams <n...@cryptonector.com> writes: > It's quite fine to want encryption at a lower layer than > authentication, but if you do that then you'd better either key the > lower layer from the upper layer, or channel bind the lower layer into > authentication.
I strongly oppose keying the lower layer from the upper layer. This is precisely where people get into problems from poor entropy or forgetting to bzero key material or messing up forward secrecy. Conversely, channel binding is exactly the kind of minimal yet very expressive interface that can very cleanly be exposed by a lower layer guaranteeing forward secrecy. > What I'd like to see is ECDH with ephemeral public keys for TCPINC > with an API by which to extract channel binding data that can be fed > into an application-layer protocol. (Perhaps even TLS with null > ciphersuite + TCPINC. Whatever.) Obviously I agree. The only thing I would add is that there should also be an application-aware bit to make things like DANE support transparent in the future. David _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc