On 1/23/2016 2:13 PM, Joseph Birr-Pixton wrote:
Hi,
I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA.
For discussion, here's a pull request with possible language:
https://github.com/tlswg/tls13-spec/pull/406
Cheers,
Joe
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
Correct me if I'm wrong but:
1) A receiver of an deterministic ECDSA signature verifies it EXACTLY
like they would a non-deterministic signature.
2) A receiver of an ECDSA signature cannot determine whether or not the
signer did a deterministic signature.
3) A TLS implementation has no way (absent repeating signatures over
identical data) of telling whether or not a given signature using the
client or server private key is deterministic.
All that suggests that this is a completely unenforceable requirement
with respect to TLS.
The above is a long way of saying that this is a WG overreach on
internal security module behavior that is not central, cognizable or
identifiable to a TLS implementation.
I'd instead recommend you approach the CFRG and offer a internet draft
with a target of BCP on the general topic of ECDSA rather than specific
guidance for TLS.
Mike
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
