On Mon, Dec 28, 2015 at 02:52:49PM -0500, Eric Rescorla wrote: > Folks, > > In the spirit of making a useful checkpoint, I just posted the latest > version of the > editor's draft as draft-11. Here's the major changes: > > > - Unify authentication modes. Add post-handshake client authentication.
I noticed the following: 1) In previous drafts with the OPTLS design, 1-RTT Finished messages used SS as key (for avoiding circular logic or something like that). But -11 seems to specify Master Secret. 2) Post-handshake auth seems to need hash forking, whereas everything else (except 0-RTT, which likely gets implemented differently anyway) only needs multitap hashes (even for CertificateVerify). 3) If any extension tries to add new message between ServerConfiguration and Certificate or Finished and Certificate, the defintion goes screwy (one expects the hash to end just before Certificate). And there are two non-deprecated extensions that do just that... 4) There is also one (infamous) extension (not deprecated) that uses Supplemental Data mesage from server to client. Where does that message go? Right after EncryptedExtensions (one creative interpretation)? > The major open issues I am aware of are: > > - Details of state pickling for stateless reject. I owe the list a proposal > here. This a bit more subtle than it seems. Looks like you need to put the Client Random in that state too, in order to avoid rehandshakes from blowing up. The server needs some way of telling apart a retry and a rehandshake, otherwise it tries to recover the state on rehandshake, which is very wrong and won't work. Also, I would set the default maximum TTL at 0 (don't save between connections unless application profile says so). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
