On 09/02/2017 21:17, Eric Rescorla wrote:
> Hi folks,
>
> We need to close on an issue about the size of the
> state in the HelloRetryRequest. Because we continue the transcript
> after HRR, if you want a stateless HRR the server needs to incorporate
> the hash state into the cookie. However, this
On Thu, Feb 23, 2017 at 8:08 AM, Dr Stephen Henson <
li...@drh-consultancy.co.uk> wrote:
> On 09/02/2017 21:17, Eric Rescorla wrote:
> > Hi folks,
> >
> > We need to close on an issue about the size of the
> > state in the HelloRetryRequest. Because we continue the transcript
> > after HRR, if you
https://github.com/tlswg/tls13-spec/pull/882 contains the longer description.
In short, the existence of an exporter secret threatens the forward
secrecy of any exported secret. This is a problem for QUIC and is
likely to be a more general problem.
The proposed fix is small: separate exporters i
So this isn’t entirely novel right I mean we did something similar wrt other
key schedules?
spt
> On Feb 23, 2017, at 23:30, Martin Thomson wrote:
>
> https://github.com/tlswg/tls13-spec/pull/882 contains the longer description.
>
> In short, the existence of an exporter secret threatens the
Hi Martin,
just to clarify: you add an additional HKDF.Expand step, not
HKDF.Extract, right?
You mentioned extract in the email and PR text, but in code it's a
second expand---which makes sense, as only expand allows to add context
(here: label).
Cheers,
Felix
On 23/02/2017 20:30 -0800, Martin
The difference between what is defined in 1.3 and this document is the 256
bit CCM cipher suites. The document does not specify cipher suites for
TLS 1.3.
Is it important for TLS 1.3 to have support for these cipher suites?
If it is then we either need to add the cipher suites to this document
On 24 February 2017 at 16:01, Sean Turner wrote:
> So this isn’t entirely novel right I mean we did something similar wrt other
> key schedules?
I certainly hope it isn't novel. I'm just applying the same
technique: keep independent keys independent.
On 24 February 2017 at 16:09, Felix Günther
> On 24 Feb 2017, at 7:38, Joseph Salowey wrote:
>
> The difference between what is defined in 1.3 and this document is the 256
> bit CCM cipher suites. The document does not specify cipher suites for TLS
> 1.3.
>
> Is it important for TLS 1.3 to have support for these cipher suites?
>
> I
