> I forget, did we need to bind it to the actual handshake secret, or was > the transcript and ClientHelloInner.random sufficient? That would avoid the > circular processing dependency. >
As I recall, it was decided to bind the acceptance signal to the handshake signal in order to mitigate some specific, active, "don't-stick-out" attacks. Chris P.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
