Right. When we design this solution, we assume it will work with TLS1.3. The TLS WG has stopped working on the extensions for TLS 1.2, right?
发件人: Eric Rescorla <e...@rtfm.com> 日期: 2016年3月30日 星期三 上午11:59 至: Martin Thomson <martin.thom...@gmail.com> 抄送: dacheng de <dacheng....@alibaba-inc.com>, tls <tls@ietf.org> 主题: Re: [TLS] 回复: A TLS extension transfering service indication information I meant "would work with TLS 1.3". I don't believe it will work with TLS 1.2 even with EMS because (even with the MAC) the SI extension is bound to the ClientHello which is replayable in 1.2 because it contains public information, with the only non-fixed information being the random. However in 1.3 it contains the DH key share, which the attacker doesn't know the corresponding private value for. -Ekr On Tue, Mar 29, 2016 at 8:53 PM, Martin Thomson <martin.thom...@gmail.com> wrote: > On 30 March 2016 at 14:19, Eric Rescorla <e...@rtfm.com> wrote: >> > That wouldn't work with TLS 1.2 but would work with TLS 1.2. > > I think that you meant that it would work with TLS 1.2 and extended > master secret, or TLS 1.3.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
