On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote: > On 31 December 2015 at 17:54, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > Zero checks can already be unit-tested/interop-tested just as well. > > > What ekr said applies, but also this:
I thought the ekr's point was that if you need THS resistance, you require EMS. If you don't, not much point worrying what properties individual key exchanges have. > Yes, you can test that a given implementation does the right checks, > but you won't be checking during normal operation. If you require > session-hash, then every handshake includes that check and if someone > messes up, the handshake just fails. That far more visible. I don't think the parts that actually matter are tested in normal use. Unless you mean deimplementing entiere old TLS master secret derivation... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls