On Mon, Jul 25, 2022 at 06:47:53PM -0400, Ben Schwartz wrote: > I noticed some confusion today about the topic of ambiguous > transcripts in cTLS. My claim was not that any single cTLS profile > has an ambiguous transcript. If such a thing were true, I believe > that would be a bug in the cTLS specification. > > Instead, I was trying to highlight the concern of "profile confusion" > attacks, in which an attacker is able to convince the two parties > that different profiles (with the same ID) are in use. In these > cases, the two parties can verify their agreed-upon transcript, > but interpret it differently, which could lead to vulnerabilities. > > Including the "template" in the transcript rules out these attacks. > However, this protection depends on the use of a strong transcript > hash in the Finished message, and shortening or omitting this hash > has also been discussed. > > As you can see, there are still many interesting open questions > related to cTLS.
Furthermore (this is just from "known unknown" category): - The impact of shortening the finished is probably different for PSK versus certificate modes. - Impact of record protection probably can not be ignored if finished is shortened. Traditional TLS 1.3 security analysis ignores RP completely (conservative choice to make analysis easier). - None of the common record protectors in TLS 1.3 are committing (except the NULL ones!), which might have an impact on security analysis. - PSK has binders, which are finished-like, but not protected. The impact of shortening those is probably very different from impact of shortening actual finished. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls