On Fri, Jul 20, 2018 at 3:43 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Fri, Jul 20, 2018 at 10:43:48AM +0100, Matt Caswell wrote: > > > > > > On 20/07/18 10:38, Eric Rescorla wrote: > > > The issue is not cross-protocol attacks; it's the reuse of PSKs with > > > different KDFs, which we don't have any analysis for and which the TLS > > > 1.3 document prohibits. > > > > Can you supply the reference for that prohibition? > > > > Section 'Pre-Shared Key Extension'. In practicular, the paragraph > starting "Each PSK is associated with a single Hash algorithm." That > one prohibits using PSK associated with a hash with another hash. > However, I did not find prohibition of using PSKs from prior versions > of TLS using SHA-256 as the associated hash (as that is the default). > Right. There's no such text. However, the TLS 1.2 SHA-256 KDF isn't HKDF (and of course the TLS 1.0 KDF isn't even SHA-256), so we're kind of in an unclear area. -Ekr > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
