On Wed, Mar 30, 2016 at 12:52:23PM +1100, Martin Thomson wrote: > On 30 March 2016 at 12:49, Colm MacCárthaigh <c...@allcosts.net> wrote: > > But isn't that too late? If you have to wait for the client finished message > > before you can even decrypt the 0RTT section; what's the benefit? it's not > > "0RTT" any more. > > There is a Finished message in the client's first flight. It's before > the early data.
Only if using 0-RTT auth, which seems is going to be removed (yay). However, one still can't tamper with timestamp in ClientHello: The ClientHello affects the 0-RTT encryption keys and 0-RTT decrypt failure (as opposed to not being able to derive 0-RTT keys) is a fatal error (no fallback). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls