On Mon, Dec 21, 2015 at 5:49 PM, Christian Huitema <huit...@microsoft.com> wrote:
> The handshake hash specification in section 7.1 says: > You're referring the editor's copy (WIP-11), right? > Where handshake_hash includes all messages up through the > server CertificateVerify message, but not including any > 0-RTT handshake messages (the server's Finished is not > included because the master_secret is need to compute > the finished key). > > What are the 0-RTT handshake messages that should be excluded? The diagram > in 6.2.2 shows the client hello and its extensions, the optional client > cert and client cert verify, and a finished message. Presumably, the > handshake hash does not exclude the client hello. What is the intent there? > Is the sentence meant to exclude the 0-RTT cert, cert verify and finished > messages? > I was just going over this text today and realized it's kind of confusing (and the whole "handshake_hash" abstraction is starting to be less useful in light of the PR#316 reframing of the authentication block). Unless I'm confused (which is possible given the time of night), the intention, as you say, is to separate out the 0-RTT handshake messages i.e., (cert, cert verify, finished) from the 1-RTT computations. However, as indicated in S 6.3.3. and 6.3.4: - The 0-RTT Certificate Verify covers the ClientHello and Certificate (as well as the cached messages from the server shown in the table in 6.3.4) - The 0-RTT Finished includes the above messages plus the CertificateVerify. Trying to figure out the best way to clarify this text. PRs welcome :) -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
