On Saturday, January 23, 2016 07:47:11 pm Michael StJohns wrote: > 1) A receiver of an deterministic ECDSA signature verifies it EXACTLY > like they would a non-deterministic signature. > 2) A receiver of an ECDSA signature cannot determine whether or not the > signer did a deterministic signature. > 3) A TLS implementation has no way (absent repeating signatures over > identical data) of telling whether or not a given signature using the > client or server private key is deterministic. > > All that suggests that this is a completely unenforceable requirement > with respect to TLS.
We can have unverifiable & unenforceable MUSTs. A SHOULD might be more appropriate, however, if we want to acknowledge this limitation to some degree. > The above is a long way of saying that this is a WG overreach on > internal security module behavior that is not central, cognizable or > identifiable to a TLS implementation. As far as I'm concerned, anything that directly affects the security of TLS is not an overreach. Beyond scope of control, yes, but it's not an overreach to lay out how to do things properly that commonly result in vulnerabilities with TLS. Like everything else in an RFC, it can of course be ignored, but I think it's worth it to make an official statement in the spec on how to do things properly. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
