On Thu, Dec 31, 2015 at 12:55:09PM -0800, Eric Rescorla wrote: > On Thu, Dec 31, 2015 at 12:49 PM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > On Thu, Dec 31, 2015 at 12:23:50PM -0800, Eric Rescorla wrote: > > > On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara < > > ilariliusva...@welho.com> > > > wrote: > > > > > > 2. Implementations which only do new algorithms can mandate EMS and not > > > implement old derivation at all, provided we make that a rule here. > > > > Well, the EMS spec already says that endpoints SHOULD abort if > > extension is not present if they don't want to interop with > > legacy implementations. > > > Correct. But as you say, that's a check that you can omit. However, if you > only > implement the EMS derivation than (unless I'm missing something) even if you > omit the check this should just result in a handshake failure.
Yes, if you don't want to interop with legacy implementations, don't implement the legacy key derivation. Unfortunately, I think I figured out that client requiring ECDHE even with only NIST curves with full checking (which is contributory if that is even possible) does _not_ prevent THS attacks. So, if the protocol run on TLS does not resist THS attacks anyway somehow, you MUST require EMS. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls