On 31 Mar 2016 5:56 AM, "Ilari Liusvaara" <ilariliusva...@welho.com> wrote: > Then on topic of 0-RTT, how does 0-RTT key hashes behave if > handshake is restarted (main handshake hash continues, but > 0-RTT hash context currently needs to be separate from the > main context)?
Good question. I don't recall that being discussed. I see three options : 1. Continue the hash, just like in 1-RTT 2. Treat HelloRetryRequest as a denial of the entire first flight. 3. Signal the choice. Option 2 suits best if we consider HelloRetryRequest to be a DoS feature exclusively or at least primarily. But we have other reasons for it and I don't think that DoS mitigation is a big factor for TCP. I think that option 1 is easy enough, since both sides have to extend the hash in any case. 3 is just complexity.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
