Thanks for doing the text. Russ
On May 19, 2016, at 3:22 PM, David Benjamin <david...@chromium.org> wrote: > If the WG agrees with this change, I've put together a PR here: > https://github.com/tlswg/tls13-spec/pull/462 > > On Tue, May 17, 2016 at 4:14 PM David Benjamin <david...@chromium.org> wrote: > Reviving this thread, I also think it would also be a good idea if 1.3 did > not stripping zeros from Z. Having this logic is rather dubious w.r.t. > treating secret data in constant-time. And as Bill Cox mentioned elsewhere in > this thread, this odd behavior has caused interoperability issues in the past. > > I don't think we have to be worried about inconsistency with 1.2 as, by the > time this happens, we will already know we're speaking 1.3. TLS 1.3 DHE is > already a very different beast from TLS 1.2 DHE. At this point, the only > thing they meaningfully share is they happen to use the same code points. > > David > > On Thu, Apr 7, 2016 at 10:37 AM Russ Housley <hous...@vigilsec.com> wrote: > I would prefer to always use the full, known-length byte string for Z. In my > experience, it is better to know the lengths of byte strings instead of > stripping leading zeroes. The difference in the speed of the HKDF > computation by omitting the leading zeros is not significant. Alignment with > NIST SP 800-56A is nice, but it is not the reason for my preference. > > Russ > > > On Mar 28, 2016, at 11:56 AM, Maarten Bodewes <maarten.bode...@gmail.com> > wrote: > > > Hi all, > > > > I see that the leading zero is stripped off of the value of Z (the shared > > secret) before it is used as input to HKDF. This seems to be compatible > > with TLS 1.2. Then again, it is not compatible with e.g. NISP800-56A which > > uses the value of Z with the same size of the prime in octets. Furthermore, > > it is also different with regards to handling the coordinate X as used in > > ECDH. > > > > Was this a conscious decision to keep compatibility with TLS? Has the use > > of the value of Z including zero octets been considered? > > > > Regards, > > Maarten > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
