On 15/10/15 00:06, Martin Thomson wrote: > On 14 October 2015 at 15:43, Matt Caswell <fr...@baggins.org> wrote: >> "highly dangerous idea" > > Wrong Martin.
Oops. Sorry. > I agree that there is a need for caution, but in > reality, it's not like you can use renegotiation to hand-off to > someone else entirely. The person you are talking to hasn't changed. > What is dangerous is making assertions about *new* things that the > renegotiation introduces. > OpenSSL will not itself use anything from the new handshake until the CCS/Finished has been processed. I couldn't make the same guarantee about applications using OpenSSL APIs/callbacks (although no doubt applications could do all manner of dangerous things if they chose to). So that leaves me unclear whether you are advising me to "fix" the "bug" because its not that dangerous really, or whether the risk of applications using info they shouldn't is too great so we should maintain the status quo and leave things as they are (i.e. broken in certain scenarios). Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
