At 12:51 AM +0200 4/22/10, Simon Josefsson wrote: >In which environments is the extension useful? > >The only motivation in the document that I can find is this: > > In some application environments, it is desirable to have the client > and/or the server be able to input more random material in the master > key calculation than is allowed by the fixed-length Random value. > >I believe more justification than that is required for Proposed >Standard. > >In particular, what I'd like to see is references to some application >environments where the extension is desirable, and the rationale why it >is desirable in that environment. > >Without a rationale for when the extension is useful, it is impossible >for implementers to know when use of this extension is warranted or not. The environment I described in the earlier thread is TLS with Diffie-Hellman. I thought that saying that was sufficient, but I guess it wasn't. In Diffie-Hellman key establishment with static keys, even if the PRNG of one side is bad, the resulting pre-master secret is still sound. Neither side knows whether or not the PRNG of the other side is bad, so each side wants to supply sufficient randomness for the master secret even if the other side's PRNG is bad. If a side with a bad PRNG adds its own input, it doesn't hurt the randomness of the result, but a side with a good PRNG can bring up the amount of randomness. I did not want to list this as the justification because there may be other reasons to use the extension, and I don't want readers to think that this is the only one. For example, future types of TLS key establishment might have similar properties as static-static Diffie-Hellman. Does that help? --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf