Eric Rescorla wrote:
The argument against is that it puts the security of the handshake on an unkeyed hash rather than a MAC (since you only need to mount a 2nd preimage attack on the hashand then you have 2nd preimage on MAC(K,hash).).
You can use this argument against RSA, DSA, and ECDSA signatures, too. My preference is to hash the handshake_messages first. The issue isn't that new PRFs can't cope with large data. The issue is the new burden on TLS implementations to buffer data of an indefinite length. Also consider the memory usage of a busy TLS server that has a lot of handshakes in progress. Wan-Teh
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@xxxxxxxxxxxxxx https://www1.ietf.org/mailman/listinfo/tls