Kurt Roeckx <k...@roeckx.be> wrote: > On Tue, Dec 29, 2015 at 09:02:25AM -1000, Brian Smith wrote: > > > > Does that matter, though? The CFRG document doesn't allow the sender to > set > > the high bit to 1, right? In particular, it says "All calculations are > > performed in GF(p), i.e., they are performed modulo p." and "For X25519, > > the unused, most-significant bit MUST be zero." > > > > If the receiver can detect that the sender is non-conforming, then it > > should be able to stop talking to it on that basis alone. > > I don't know enough about all the various draft to know if this > might be a problem or not, but I'm concerned about providing an > error oracle. >
It's a public value sent by the other side, so that's not an issue. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls