On 16. mai 2017 20:59, Eric Rescorla wrote: >> However, this intuition is incorrect. Alerts signal the end-of-use of >> keys, not the prohibition of further communication under other keys. >> Keys should be deleted and no further data should be sent on the >> connection. > > This last sentence seems to reinforce the motivating intuition here, > namely that the alert signals the end of the *connection*, and so it's > odd to have EOED indicate a key change within a connection. > Avoiding getting caught on the word "connection", EOED signals the end of key use like other alerts, which is the central issue. Notably, EOED does not signal key change, unlike a KeyUpdate message or Finished message - even the name indicates that it is for "end of data". Its behavior is fundamentally like an alert's, indicating only end-of-key use for application data.
>> Specifically, the 0-RTT handshake is >> followed by 0-RTT data and finally an EndOfEarlyData alert to end use of >> that key, while in parallel the remainder of the handshake and >> subsequent session key act almost as a further resumption (i.e. under a >> different key). >> > I can see how you could look at it this way, but I'm not sure that that's > the natural way to look at it. If you're not doing DH, then these are > very much derived from the same PSK and the same client-side > nonce. > In that case, they are both then related to the master key of the previous session, which may well have ended with a close_notify, i.e. a properly finished key use signaled by an alert.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
