On Wed, May 6, 2020 at 1:09 AM Ben Smyth <resea...@bensmyth.com> wrote:
> As far as I can tell, secret [sender]_handshake_traffic_secret is computed > over transcript CH || SH or CH || HRR || CH || SH. (A server can compute > their secret once they've computed SH, whereas a client must wait until > they've received SH before computing their secret.) > Correct. The figure here is intended to clarify this https://tools.ietf.org/rfcmarkup?doc=8446#section-7.1, though see https://tools.ietf.org/rfcmarkup?doc=8446#section-4.4.1 for how to handle HRR. Secret server_application_traffic_0 is computed over an extended transcript > which additionally includes EE, (optionally) CR, (optionally) CT & CV, and > FIN, and secret client_application_traffic_0 further extends that > transcript to include (optionally) EndOfEarlyData, (optionally) CT, > (optionally) CV, and FIN. Is that right? > No. These are computed over the same transcript, which goes up to SFIN. We have discussed extending the client transcript as you suggest, but so far have not done so (this would need an extension). -Ekr > > Best regards, > > Ben > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
