Hi, On 2020-05-15 22:04 +0200, Eric Rescorla <e...@rtfm.com> wrote: > Actually, the full epoch is included in the overall sequence number and > hence used to generate the nonce. > > https://tools.ietf.org/html/draft-ietf-tls-dtls13-37#section-4 > > Does that help?
Sorry, I forgot about reading this difference in how the record sequence number is constructed in DTLS (vs. TLS, and also QUIC). Yes, this should effectively separate the nonce spaces between the different epochs / epoch keys, and implicitly authenticate the epoch through the nonce. Cheers, Felix _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
