I was trying to articulate what does the analysis in OPTLS that does not include the client's Finished message (or client authentication) means in practical terms for 0.5-RTT data. I think that one way to put it is that for the server it guarantees confidentiality against passive (only) attackers and for the client it provides data authentication (proof of origin and integrity).
Note that confidentiality against passive attackers is the same type of assurance we provide to the encrypted server's identity. The same way a server needs to "understand" that any active attacker can learn its identity from a TLS handshake, it also needs to understand that 0.5 data is open to any active attacker. Any expectations of 0.5 data being directed to a specific client need to be eliminated. Hugo On Tue, Feb 23, 2016 at 5:52 PM, Martin Thomson <martin.thom...@gmail.com> wrote: > On 23 February 2016 at 14:37, Hugo Krawczyk <h...@ee.technion.ac.il> > wrote: > > It seems to imply that you are attaching some "client-specific semantics" > > even to keys that were not authenticated by the client. > > It's primarily a privacy concern, though it's a pretty weak concern. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
