On Wed, Sep 30, 2020 at 05:24:21PM -0400, Michael D'Errico wrote: > I wrote: > > > Also the server can't be actually stateless since > > it needs to know the HelloRetryRequest message > > for the transcript hash, right? > > How can you even implement stateless HRR with a > pseudo-session-ticket in the "cookie"? The server > needs to know the full HRR message to calculate the > transcript hash, but this can't be part of the ticket > since the ticket is included within the HRR, thus > changing it....
The HRR is presumed to be a deterministic function of the initial ClientHello, and as I discussed in my earlier message, the server can reconstruct the initial ClientHello from the second ClientHello and verify it against the hash in the cookie. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
