I meant "would work with TLS 1.3". I don't believe it will work with TLS 1.2 even with EMS because (even with the MAC) the SI extension is bound to the ClientHello which is replayable in 1.2 because it contains public information, with the only non-fixed information being the random. However in 1.3 it contains the DH key share, which the attacker doesn't know the corresponding private value for.
-Ekr On Tue, Mar 29, 2016 at 8:53 PM, Martin Thomson <martin.thom...@gmail.com> wrote: > On 30 March 2016 at 14:19, Eric Rescorla <e...@rtfm.com> wrote: > > That wouldn't work with TLS 1.2 but would work with TLS 1.2. > > I think that you meant that it would work with TLS 1.2 and extended > master secret, or TLS 1.3. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls