PSA PAKE: explain implicit key confirmation Signed-off-by: Janos Follath <janos.follath@arm.com>

commit: 79e1c47a54c0504b42827343df0b61a2e10ef721 [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Tue May 25 15:53:13 2021 +0100
committer: Janos Follath <janos.follath@arm.com> Thu Jun 03 12:37:32 2021 +0100
tree: 8febda01fafc192b675b813e291a2b3a472e2686
parent: 7c59b7a073fc6430bda38177769eb4e93c82ba0e [diff]
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2d4c80d..bbdd06d 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h

@@ -4638,6 +4638,14 @@
 
 /** Get implicitly confirmed shared secret from a PAKE.
  *
+ * At this point there is a cryptographic guarantee that only the authenticated
+ * party who used the same password is able to compute the key. But there is no
+ * guarantee that the peer is the party he claims to be and was able to do so.
+ *
+ * That is, the authentication is only implicit (the peer is not authenticated
+ * at this point, and no action should be taken that assume that they are - like
+ * for example accessing restricted files).
+ *
  * This function can be called after the key exchange phase of the operation
  * has completed. It imports the shared secret output of the PAKE into the
  * provided derivation operation. The input step
commit	79e1c47a54c0504b42827343df0b61a2e10ef721	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Tue May 25 15:53:13 2021 +0100
committer	Janos Follath <janos.follath@arm.com>	Thu Jun 03 12:37:32 2021 +0100
tree	8febda01fafc192b675b813e291a2b3a472e2686
parent	7c59b7a073fc6430bda38177769eb4e93c82ba0e [diff]