On 22 July 2017 at 07:42, Watson Ladd <watsonbl...@gmail.com> wrote: >> If crc is repeated within a connection, then the old certificate >> message can be replayed. >> >> If crc is guessed, then reply can be pregenerated anytime during >> connection. >> >> However, neither seems crticial, but might be of magnitude to note. > > Yes, if we want freshness then we need a challenge-response protocol. > I don't recall if the H2 draft does.
It cannot. The question is whether freshness regarding the request is necessary, or whether it is just freshness with respect to connection that we need. That is, was the response generated for this connection, or was it generated in response to a specific request. I think that a binding to the connection is sufficient. In terms of use cases, the current design is a much better fit. It allows for spontaneous assertions of identity rather than requiring a request/response exchange. If we need request/response - which I don't think we do - then that should be integral to this mechanism. I don't want to rely on the using protocol doing the right thing. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
