The handshake hash specification in section 7.1 says: Where handshake_hash includes all messages up through the server CertificateVerify message, but not including any 0-RTT handshake messages (the server's Finished is not included because the master_secret is need to compute the finished key).
What are the 0-RTT handshake messages that should be excluded? The diagram in 6.2.2 shows the client hello and its extensions, the optional client cert and client cert verify, and a finished message. Presumably, the handshake hash does not exclude the client hello. What is the intent there? Is the sentence meant to exclude the 0-RTT cert, cert verify and finished messages? -- Christian Huitema _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
