I have posted a PR to clarify this: https://github.com/tlswg/dtls13-spec/pull/142
On Tue, Apr 14, 2020 at 1:13 AM Hanno Becker <hanno.bec...@arm.com> wrote: > Hi all, > > On ACK protection, DTLS 1.3 Draft 37 says in Section 7: > > ACK records MUST be sent with an epoch that is equal to or higher > than the record which is being acknowledged. Implementations SHOULD > simply use the current key. > > Since the update of incoming and outgoing keying material is > independent, I don't know how this can be enforced: After a > sequence of key updates, the incoming epoch might be 42 while > the outgoing epoch is 17. > > What problems arise if one replaces the paragraph by the following: > > ACK records MUST be sent with the current key, irrespective > of the epoch that is used to protect the record that is > being acknowledged. > > It appears that the paragraph is particularly relevant for the case > of ACKing a ServerHello, which as far as I understand shall happen > with epoch 1. Since 'current key' doesn't appear unambiguously > defined at the point of the client processing the ServerHello, it > might be worth spelling out this case explicitly. > > Best, > Hanno > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
