On Tue, Dec 29, 2015 at 09:02:25AM -1000, Brian Smith wrote: > > Does that matter, though? The CFRG document doesn't allow the sender to set > the high bit to 1, right? In particular, it says "All calculations are > performed in GF(p), i.e., they are performed modulo p." and "For X25519, > the unused, most-significant bit MUST be zero." > > If the receiver can detect that the sender is non-conforming, then it > should be able to stop talking to it on that basis alone.
I don't know enough about all the various draft to know if this might be a problem or not, but I'm concerned about providing an error oracle. Kurt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls