On Mon, Sep 28, 2020 at 6:33 PM Michael D'Errico <mike-l...@pobox.com> wrote: > > On Mon, Sep 28, 2020, at 11:07, Hannes Tschofenig wrote: > > > > Luckily, we don't have any angry cryptographers in this group. > > Were they all pushed away too? > > Anyway, back on the topic of stateless HelloRetryRequest, I > don't see how this can work given that the client can make > several modifications to the ClientHello which will invalidate > the hash sent in the "cookie" (even if the client echos it back > as required without modification).
The hash isn't used for validation, but for continuing the running hash of the transcript to ensure that the negotiation isn't interfered with. See section 4.4.1. > > Is stateless HelloRetryRequest even being used? If so, how? QUIC depends on it iiuc. Sincerely, Watson -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
