ietf
[Top] [All Lists]

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

2011-03-08 10:00:42
Sean Turner wrote:

Yours was the first document I noticed to use SHA384 as PRF. If there
are other documents that specify that, and don't set the verify_data_length
size then it applies to those as well. (just noticed that applies to RFC5288
as well).

If the verify_data_length default is 12 (from 5246) then saying nothing 
means that it's still 12 right?  Or, do you think an explicit statement 
saying "the default value for verify_data_length of 12 is used" is needed?


Truncating the PRF output to 12 octets for TLSv1.2 seems like an error.

If truncating a SHA-1 based PRF in TLSv1.0/TLSv1.1 to 12 Octets is
considered adequate (20/12), then truncation in TLSv1.2 with
a SHA-256 based PRF should have been (32/20) and truncation for
a SHA-384 based PRF should be more like (48/28) or (48/32).

To me, Truncating the output of a SHA-384 PRF to 12 Octets looks like
unreasonable cutdown of the security margin for the Finished messages.

-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf