ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random

2010-04-23 10:36:22
from [Simon Josefsson] [Permanent Link] 
Paul Hoffman <paul(_dot_)hoffman(_at_)vpnc(_dot_)org> writes:


At 12:51 AM +0200 4/22/10, Simon Josefsson wrote:

In which environments is the extension useful?

The only motivation in the document that I can find is this:

 In some application environments, it is desirable to have the client
 and/or the server be able to input more random material in the master
 key calculation than is allowed by the fixed-length Random value.

I believe more justification than that is required for Proposed
Standard.

In particular, what I'd like to see is references to some application
environments where the extension is desirable, and the rationale why it
is desirable in that environment.

Without a rationale for when the extension is useful, it is impossible
for implementers to know when use of this extension is warranted or not.


The environment I described in the earlier thread is TLS with
Diffie-Hellman. I thought that saying that was sufficient, but I guess
it wasn't.


People shouldn't have to read the mailing list to understand the
applicability, so please describe some environments in the document.


In Diffie-Hellman key establishment with static keys, even if the PRNG
of one side is bad, the resulting pre-master secret is still sound.
Neither side knows whether or not the PRNG of the other side is bad, so
each side wants to supply sufficient randomness for the master secret
even if the other side's PRNG is bad. If a side with a bad PRNG adds its
own input, it doesn't hurt the randomness of the result, but a side with
a good PRNG can bring up the amount of randomness.


Are you saying that the 28 bytes of randomness provided in the client
and server hello is not sufficient?


I did not want to list this as the justification because there may be
other reasons to use the extension, and I don't want readers to think
that this is the only one. For example, future types of TLS key
establishment might have similar properties as static-static
Diffie-Hellman.

Does that help?


This information certainly helps, but it belongs in the document.

/Simon
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: draft-hoffman-tls-additional-random-ext (Additional Random, Simon Josefsson
Next by Date:  Re: Last Call: draft-hoffman-tls-master-secret-input (Additional, Nicolas Williams
Previous by Thread:  Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext, Martin Rex
Next by Thread:  Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random, Nikos Mavrogiannopoulos
Indexes:  [Date] [Thread] [Top] [All Lists]