https://github.com/tlswg/tls13-spec/pull/508
David Benjamin has suggested moving the downgrade sentinel to the end of the server random to avoid breaking tlsdate. This seems reasonable, as the only real argument against is that conformant TLS 1.3 servers will have only 20 bytes of entropy when doing TLS 1.2 compat (if they put the time in the top 32 bytes), as opposed to 24 if they randomize the first 32 bytes. OTOH, those bytes will be more unique over time (because they are guaranteed not to repeat for a very long time after the second has passed), so intuitively this seems like a wash. Barring any objections I'll merge this PR on Wednesday -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
