> If the client is trying to perform > some sort of attack on the server by re-sending an old cookie, I assume > that a prerequisite for this attack is that the TLS handshake succeeds.
Maybe you don't need the handshake to succeed? As a non-cryptographer I can't say what the implications might be (as I said to Watson in private email) but some of you are crypto people. If you can create N parallel sessions using the same cookie (send the same ClientHello1 with the same Random value (?), or maybe trick a poorly-written server by sending an initial ClientHello1 containing a cookie extension, or use DTLS (?)), what could you do as a malicious client? I don't know the answer, I'm asking. Mike _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
