On Thu, 2015-09-24 at 15:27 +0300, Ilari Liusvaara wrote: > 4) For TLS PoP signatures, does it make sense to use HashEdDSA at > all? > Another way would to always use PureEdDSA and perform hash separtion > from TLS side (e.g. sign(privkey, hash_func_id|H(tbs_data))). > The certificate signatures are different matter tho, since CAs use > HSMs for signing (those HSMs tend to be rather beefy, but still).
The problem with the PureEdDSA is that if you use a smart card or an HSM (both common for TLS), you have to transfer lots of data to them, something that may render it not really useful. Also the PureEdDSA in most implementations it requires a new API for signing. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
