On Wed, Oct 12, 2016 at 3:57 PM, Eric Rescorla <e...@rtfm.com> wrote:
> The 0-RTT traffic key incorporates the ClientHello.Random which is tied > into the full handshake. > Ok, so for the replayed early data to be accepted, an adversary would also have to swap out CH.Random and the (Finished) message, which would alter the server Finished message, resulting in a handshake failure. I think that resolves my concern. Thanks. Kyle
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
