On Tue, May 16, 2017 at 2:10 PM, Britta Hale <britta.h...@ntnu.no> wrote:
> > On 16. mai 2017 20:59, Eric Rescorla wrote: > > However, this intuition is incorrect. Alerts signal the end-of-use of > keys, not the prohibition of further communication under other keys. > Keys should be deleted and no further data should be sent on the > connection. > > This last sentence seems to reinforce the motivating intuition here, > namely that the alert signals the end of the *connection*, and so it's > odd to have EOED indicate a key change within a connection. > > > Avoiding getting caught on the word "connection", EOED signals the end of key > use like other alerts, which is the central issue. Notably, EOED does > not signal key change, unlike a KeyUpdate message or Finished message - even > the name indicates that it is for "end of data". Its behavior is fundamentally > like an alert's, indicating only end-of-key use for application data. > > I'm not sure why you say it doesn't signal a key change: EOED signals the transition between data encrypted with the early traffic keys and that encrypted with the handshake key. > Specifically, the 0-RTT handshake is > followed by 0-RTT data and finally an EndOfEarlyData alert to end use of > that key, while in parallel the remainder of the handshake and > subsequent session key act almost as a further resumption (i.e. under a > different key). > > > I can see how you could look at it this way, but I'm not sure that that's > the natural way to look at it. If you're not doing DH, then these are > very much derived from the same PSK and the same client-side > nonce. > > > In that case, they are both then related to the master key of the previous > session, which may well have ended with a close_notify, i.e. a properly > finished key use signaled by an alert. > > Yes, that's true, but I'm not sure I see the relevance of this point. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
