> On 28 Nov 2015, at 4:48 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > On Mon, Nov 23, 2015 at 01:16:35PM -0800, Martin Thomson wrote: >> >> Are we happy that we will only be needing the PureEdDSA variants and >> that no-one will be asking for the HashEdDSA versions? I ask because >> I've heard it suggested (I think Karthik mentioned this) that we might >> want to sign the transcript directly in TLS 1.3 rather than rely on >> collision-resistance of the selected hash function. That would be >> harder without access to HashEdDSA. > > Also, one problem with signing the transcript directly is that because > of the context prefixes, one would either have to buffer all messages > or compute multiple hashes.
I think buffering all messages is fine for a regular handshake. The problem begins when you have a certificateRequest later in the negotiation, leading to a certificateVerify which signs the entire transcript. This means that we need to keep the transcript for the duration of the connection just in case the server decides to send a certificateRequest. If a late certificateRequest signed something other than the entire transcript, I would be very much in favor of signing directly. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
