As explained below, we propose that the record-layer sequence numbers
be reset to 0 whenever new keys are installed (as in TLS 1.2):
https://github.com/tlswg/tls13-spec/pull/379
Cédric Fournet, on behalf of the miTLS team.
While working on a formal model of the TLS 1.3 record layer, I bumped
in
ssage with each record key: end_of_early_data; finished; and
close_notify.
-Original Message-
From: Martin Thomson [mailto:martin.thom...@gmail.com]
Sent: 17 December 2015 23:39
To: Cedric Fournet
Cc: tls@ietf.org; Antoine Delignat-Lavaud ; Karthikeyan
Bhargavan
Subject: Re: [TLS] [
As pointed out by Karthik, we are not strongly advocating this simplification,
but we do not think it would weaken the security of TLS. Details below.
-Cédric, with the miTLS team
In the following, I only consider the record layer keys, which are used for
authenticated encryption; I ignore all
ng the key change if someone is concerned about it.
-Cédric
From: hugok...@gmail.com [mailto:hugok...@gmail.com] On Behalf Of Hugo Krawczyk
Sent: 19 February 2016 19:57
To: Cedric Fournet
Cc: Eric Rescorla ; Ilari Liusvaara ;
Karthikeyan Bhargavan ; tls@ietf.org; Markulf
Kohlweiss ; Ant
Agreed. For what it is worth, 0-RTT with PSK would still provide implicit
client authentication.
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla
Sent: 21 February 2016 19:37
To: Martin Thomson
Cc: tls@ietf.org
Subject: Re: [TLS] Remove 0-RTT client auth
+1
On Sun, Feb 21,
