On Thu, Mar 31, 2016 at 09:57:51AM +1100, Martin Thomson wrote: > On 31 Mar 2016 5:56 AM, "Ilari Liusvaara" <ilariliusva...@welho.com> wrote: > > Then on topic of 0-RTT, how does 0-RTT key hashes behave if > > handshake is restarted (main handshake hash continues, but > > 0-RTT hash context currently needs to be separate from the > > main context)? > > Good question. I don't recall that being discussed. I see three options : > > 1. Continue the hash, just like in 1-RTT > > 2. Treat HelloRetryRequest as a denial of the entire first flight. > > 3. Signal the choice. > > Option 2 suits best if we consider HelloRetryRequest to be a DoS feature > exclusively or at least primarily. But we have other reasons for it and I > don't think that DoS mitigation is a big factor for TCP. > > I think that option 1 is easy enough, since both sides have to extend the > hash in any case. 3 is just complexity.
Yeah, I agree 3 is just complexity. Except I disagree that currently option 1 is easy enough, since the hash going to creating 0-RTT keys is not tapped from the main hash (if it was, then continuing would be the simplest). Relatedly, the proposal for "contexts" dropped the extra messages that caused the difference between 0-RTT hash and 1-RTT hash. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
