> So presumably instead of hashing the bare nonces for the keyex sig you'd hash > the entire hello message that contains them?
Yes, I’d suggest hashing in the log up to ServerHello, or if you don’t want to clone the hash state, then maybe the log up to ServerCertificate. I agree that the benefit of this is not so clear for known-weak/export ciphersuites which should simply be disabled. The main advantage is that it is a uniform way to prevent potential future downgrades on things like the elliptic curve. It also prevents some downgrade attacks on False Start in case LTS enables it (I assume it doesn’t). > There's an SCSV-shaped hole in the draft for that :-). Yeah, SCSV-like mechanisms can prevent downgrades from LTS to non-LTS, but only as long as the non-LTS version does not support weak key exchanges like export RSA/DHE. Otherwise, the attacker first deletes LTS, then downgrades to a weak key exchange, then breaks it to complete and hijack the connection. So to get the full gain of LTS, we must require LTS implementations to blacklist weak ciphers even for non-LTS TLS 1.2 connections. -Karthik _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls