Sean Turner wrote:
Yours was the first document I noticed to use SHA384 as PRF. If there
are other documents that specify that, and don't set the verify_data_length
size then it applies to those as well. (just noticed that applies to RFC5288
as well).
If the verify_data_length default is 12 (from 5246) then saying nothing
means that it's still 12 right? Or, do you think an explicit statement
saying "the default value for verify_data_length of 12 is used" is needed?
Truncating the PRF output to 12 octets for TLSv1.2 seems like an error.
If truncating a SHA-1 based PRF in TLSv1.0/TLSv1.1 to 12 Octets is
considered adequate (20/12), then truncation in TLSv1.2 with
a SHA-256 based PRF should have been (32/20) and truncation for
a SHA-384 based PRF should be more like (48/28) or (48/32).
To me, Truncating the output of a SHA-384 PRF to 12 Octets looks like
unreasonable cutdown of the security margin for the Finished messages.
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf