On Fri, 02 Oct 2020 14:15:48 -0400 "Michael D'Errico" <mike-l...@pobox.com> wrote:
> > > You can't possibly implement [stateless HelloRetryRequest] the > > > way the spec suggests with just a hash in a HRR cookie extension. Lots of people have and it works just fine, so it seems to me that "You can't possibly" here means something closer to "I still don't understand how to" and as such would be more appropriate to some sort of programming Q&A site like Stack Overflow than an IETF working group. > Many of the fields in HelloRetryRequest are fixed or predictable, but > the legacy_session_id_echo is not, for example. Also, relying on the > client to remind you what the hash of ClientHello1 is seems extremely > "optimistic" (in my opinion). The client MUST use the same value for legacy_session_id in its retried ClientHello. As a result this value will be available alongside the cookie. Section 4.4.2 is clear that a hash used this way in the cookie should be "protected with some suitable integrity protection algorithm". For example some implementations use an HMAC construction, but you could do other things here successfully. So in fact this is not especially optimistic. Nick. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
