Okay, how about this language that harmonizes with the SSL approach: Key-agreement schemes ECDHE-Curve25519 and ECDHE-Curve448 perform the Diffie-Helman protocol using the functions X25519 and X448, respectively. Implementations SHOULD compute these functions using the algorithms described in RFC7748. When they do so, implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in Section 6 of RFC7748. Alternative implementations of these functions SHOULD abort when either input would force the output to one of a small set of values, as discussed in Section 7 of RFC7748.
That last sentence is explicit (or as explicit as practical in the scope of this document) because I really can't find any *instruction* in Section 7 about input checking. d _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
