On Wed, Nov 23, 2016 at 03:39:38PM +0200, Yoav Nir wrote: > > > On 23 Nov 2016, at 12:22, John Mattsson <john.matts...@ericsson.com> wrote: > > > > On 2016-11-21, 06:31, "TLS on behalf of Yaron Sheffer" > > <tls-boun...@ietf.org <mailto:tls-boun...@ietf.org> on behalf of > > yaronf.i...@gmail.com <mailto:yaronf.i...@gmail.com>> wrote: > > > >> So the key schedule changed and therefore we think cross-version attacks > >> are impossible. Have we also analyzed other protocols to ensure that > >> cross protocol attacks, e.g. with SSH or IPsec, are out of the question? > >> > >> Put differently, algorithm designers gave us a cheap, easy to use tool > >> to avoid a class of potential attacks. Why are we insisting on not using > >> it? > > > > Unless someone points out any major disadvantages with using a context, I > > agree with Yaron. > > I’m not even sure what my position is on this. Specifying the use of a > context here goes against the recommendation in the CFRG draft: > > Contexts SHOULD NOT be used opportunistically, as that kind of use > is very error-prone. If contexts are used, one SHOULD require all > signature schemes available for use in that purpose support > contexts. > > If someone knows why this recommendation was made, that would be great.
Basically, then those other methods would be a weak point for attack. Then there's the serious deployment problems with contexts, as those don't fit into any standard notion of signature various libraries have. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls