It's largely arbitrary, but the reasoning is as follows. There are apparently some TLS 1.2 servers which randomly generate the entire server random (and https://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00 would encourage more to do so). The chance of a false positive between such a server and a TLS 1.3 client is 2^{-32}, which seemed a bit high.
-Ekr On Fri, Oct 9, 2015 at 10:15 PM, Dave Garrett <davemgarr...@gmail.com> wrote: > On Friday, October 09, 2015 08:23:30 am Eric Rescorla wrote: > > https://github.com/tlswg/tls13-spec/pull/284 > > > > The idea is that if a TLS 1.3 server receives a TLS 1.2 or below > > ClientHello, it sets the top N bits of the ServerRandom to be a > > specific fixed value. > [...] > > I've written this up with 48 bits and a specific fixed value (03 04 03 > > 04 03 04) but that's just a strawman and we can bikeshed on that if > > people think this is a good idea. > > I support this, though I would like to know why 6 bytes was chosen instead > of just 4. I don't object; I would just like to know the reasoning here. > > > Dave >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
