On Sun, Oct 9, 2016 at 6:58 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Fri, Oct 07, 2016 at 08:01:43AM -0700, Eric Rescorla wrote: > > After the discussion on PR #615, I took another pass at this with some > > help from the research community. Please see: > > > > https://github.com/tlswg/tls13-spec/pull/672 > > > > Also, an observation: This seems to interact in somewhat annoying way > with stateless HRR. > > Basically, CH reconstruction no longer works properly, so one needs to > have a freezeable PRF hash (and most implementations of hashes can not > be frozen). > I've been coming to the conclusion that CH reconstruction is a bad idea. It's tricky to get right and in the common case involves a lot of bloat in the CH (because of duplicating the Key Shares). I think we would be better off just removing it and replacing (rather than appending to ) KeyShares in HRR. This was primarily intended as an attempt to avoid the need to continue the hash in any case. Best, -Ekr And server not supporting PSK does not help here. > > > (BTW: Simlar thing comes up if you try to freeze an established TLS > session: Currently you need to freeze a hash due to post-handshake > authentication, even if you don't support it. Nothing else in TLS > 1.2 or 1.3 needs hash freezing for established session). > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
