On 30 March 2016 at 14:59, Eric Rescorla <e...@rtfm.com> wrote: > I meant "would work with TLS 1.3". I don't believe it will work with TLS 1.2 > even > with EMS because (even with the MAC) the SI extension is bound to the > ClientHello > which is replayable in 1.2 because it contains public information, with the > only non-fixed information being the random. However in 1.3 it contains the > DH > key share, which the attacker doesn't know the corresponding private value > for.
Right. Score one for TLS 1.3. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
