On Sat, Oct 17, 2015 at 02:16:49PM -0700, Eric Rescorla wrote:
> 3. (Optional) If you have a downgrade, parse the last byte to see the
> server's actual version.
> In any case, abort.
>
> What have I missed?
>From my perspective, there's not much benefit to knowing the actual
version, and an unnecessary loss of 7 to 8 bits of protection
against false positives with actually random input from legacy
peers.
If it is "in any case abort", why waste bits on the version. If
56 bits are enough FP-protection, use the rest for real randomness
in the server-random. If just to be safe the FP protection is 64
bits, fix those bits, except perhaps 1 to indicate 1.2 vs. >= 1.3
(if this mechanism is intended to be "backported" to TLS 1.2
systems).
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
