Empty identities

[chris-wood]

From @cjpatton

• Quote:

  For simplicity, if both identities are absent, i.e. len(A) = len(B) = 0, then w0s || w1s = PBKDF(pw).

  This may be problematic from the perspective of the security analysis, I suggest we go back to the Shoup paper and check. The problem is that RO queries for sessions with no identities might collide with queries for sessions with identities. For example, a password pw in one session may be equal to len(pw2) || pw2 || len(A) || A || len(B) || B) where pw2 is the password in another session in which A and B are the identities.

  Since this logic isn't excercised in the rest of the spec, I would just remove it and not treat this as a special case.

[chris-wood]

IIRC the security analysis does cover this case, though I would need to go back and double check. @ttaubert, do you recall off hand? If it does, we can safely close this without action.

[ttaubert]

The security analysis does explicitly not cover this case:

[chris-wood]

Ah, well, interesting!