For this reason (among others) I am against PureEdDSA. HashEdDSA dooes the job well enough.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Nikos Mavrogiannopoulos Sent: Thursday, September 24, 2015 10:04 To: Ilari Liusvaara; Simon Josefsson Cc: tls@ietf.org Subject: Re: [TLS] Updated EdDSA/Ed25519 PKIX document On Thu, 2015-09-24 at 15:27 +0300, Ilari Liusvaara wrote: > 4) For TLS PoP signatures, does it make sense to use HashEdDSA at > all? > Another way would to always use PureEdDSA and perform hash separtion > from TLS side (e.g. sign(privkey, hash_func_id|H(tbs_data))). > The certificate signatures are different matter tho, since CAs use > HSMs for signing (those HSMs tend to be rather beefy, but still). The problem with the PureEdDSA is that if you use a smart card or an HSM (both common for TLS), you have to transfer lots of data to them, something that may render it not really useful. Also the PureEdDSA in most implementations it requires a new API for signing. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
