On Tue, Oct 11, 2016 at 07:48:05PM -0700, Eric Rescorla wrote: > On Tue, Oct 11, 2016 at 5:16 PM, Martin Thomson <martin.thom...@gmail.com> > wrote: > > > On 12 October 2016 at 00:51, Eric Rescorla <e...@rtfm.com> wrote: > > > See: > > > https://github.com/tlswg/tls13-spec/pull/678 > > > > I'm convinced that this is the right change. Reconstruction was > > always going to be brittle. I will note that I don't think that the > > change gets the error codes right though. I explained why on the PR. > > > Thanks, I'll look at this. I'll be merging this change (modulo your > comments) Friday unless there is significant objection.
Well, if reject with in-list group is spurious or not depends on if there is some hello-altering extension other than key share group (it isn't if any other extension alters CH). I also noticed another edge case: What is to prevent server from omitting key share group (emitting a cookie, so the restart is not spurious), presumably causing the client to blank its key_share and then proceed to accept DH versus client's previously sent share? (That kind of thing really plays hell if client has explicit list of keypairs it considers active for connection). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
