So the key schedule changed and therefore we think cross-version attacks
are impossible. Have we also analyzed other protocols to ensure that
cross protocol attacks, e.g. with SSH or IPsec, are out of the question?
Put differently, algorithm designers gave us a cheap, easy to use tool
to avoid a class of potential attacks. Why are we insisting on not using it?
Thanks,
Yaron
On 20/11/16 17:33, Salz, Rich wrote:
For those who missed CURDLE, could you please briefly explain why we don't
need signature context in non-TLS areas.
The one place we were concerned about attacks was in pre-hash signatures, and
we made those a MUST NOT. And yes, your'e right, it's not relevant to TLS.
So why are we now saying that contexts are not needed even for TLS?
I think because the key schedule changed.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls