Require RFC6979 deterministic ECDSA #406
Conversation
|
I get the feeling from discussion on the mailing list that the WG is leaning towards consensus for a "SHOULD" not a "MUST", as this is an unverifiable & unenforceable requirement, and systems with true RNGs can actually do things properly. I suggest changing this PR to reflect this, including leaving the pitfalls section as it is in the current draft. Mentioning TRNGs could be a good idea here, to differentiate that case from when doing things deterministically his highly preferred. e.g., something to the effect of: "ECDSA signatures SHOULD be deterministically made using the scheme specified in {{RFC6979}} or generated using randomness provided by a secure hardware entropy source." (not sure of the best way to word this) A squash of all commits might also be a good idea. |
|
This PR is superseded by #408 |
I think TLS1.3 should require implementations to use RFC6979 deterministic ECDSA. This eradicates the well-known flaw in ECDSA, and makes ECDSA k selection testable for correctness.