Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Adam Langley <> Mon, 01 December 2014 22:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AFF3F1A6F0A for <>; Mon, 1 Dec 2014 14:28:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oc6xYnfL8622 for <>; Mon, 1 Dec 2014 14:28:49 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5051F1A883D for <>; Mon, 1 Dec 2014 14:28:49 -0800 (PST)
Received: by with SMTP id m20so8577636qcx.12 for <>; Mon, 01 Dec 2014 14:28:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=sErxzeReTw9Tm78WOGOfnxSgrO9ZeJTMRpJpjuzTm5Y=; b=eb16l2XDSVD/SY6v4atV48uByG/Acx2jPhXqHR2LJ4dH8fQUP2ytIOwy4QNKSa+1FC Dd/063hQomJsUPW3l+csXkYeJGPGRdJRtSoXhDmXopSGY//DbFKJbwd/viRmr/xwQJya LVf07BTB5a/yNEMwzdl2FJZcx8l8cZX550nluLTIQn5iqO7QHK5HOjmjg8fQZGAuhR75 XRh+uZdkurVJOmy0ITOD1dGxcEqwdu6DPtBzD9j3tosgHgWI8lBYR8f0tehRoULLdNmi fILj2jbSYHBclCDG2j6T8k0SGBCfQ9okl7PVwDTfsvLINK81VBXpQaKlC27atN59p1oq 7xeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=sErxzeReTw9Tm78WOGOfnxSgrO9ZeJTMRpJpjuzTm5Y=; b=bD7qSjhQr0Uh+32oQL7FAO+MMmF2lBj6A22DRX3EW1DQVVkYX88gi70fUnWhoLmrt9 WOp5geND+vsvmMiQ8I+6w4cPUrswy6kkWwSsgH7ZAEdG+b/te60e3Rlby54iS+zMNj4K y9YWG1cTHuoMxo+f9e+ij2WOSPNrJKtcRy13virc4yx+qi9gnfm7JX+IY4wfR8zDUl8V BooGpyOBt6HUQ/Rs3qnRiYD94P+YfcAEBfVdZQkyzKJeXgtwXbBWs7XJYB80+Fqqm0U7 lf0DeXVrmXZEj9UjXmaKNHr03numEO51NMAORekYeQYJn4G2AgT4QD1h34OnyhafZjA+ Ca3A==
X-Gm-Message-State: ALoCoQnkVFSv9+Cxiy7HEGDD9kRYm7mI609eHXkubfyhS/bXi1MLZn0habEdbK95rEgF3N4jnlcl
X-Received: by with SMTP id y15mr41996906qab.78.1417472928492; Mon, 01 Dec 2014 14:28:48 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 1 Dec 2014 14:28:28 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
From: Adam Langley <>
Date: Mon, 01 Dec 2014 14:28:28 -0800
Message-ID: <>
To: Eric Rescorla <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Dec 2014 22:28:50 -0000

On Wed, Nov 26, 2014 at 6:09 AM, Eric Rescorla <> wrote:
> If someone wants to contribute a PR so that we can have something
> concrete to look at that would be even better.

I have submitted a PR for the padding and context-string changes:

I did not change the CertificateVerify structure in the same commit
because I'm not quite sure that I follow the reasoning. The
CertificateVerify implicitly contains the client and server nonce
because it contains all the preceding handshake messages. What's the
motivation for duplicating them at the beginning? Is it simply to
avoid having the opaque signer understand the TLS structure? If so,
does the padding and context strings that I've just proposed break