On Sun, Oct 9, 2016 at 7:10 AM, Eric Rescorla <e...@rtfm.com> wrote: > > > On Sun, Oct 9, 2016 at 6:58 AM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > >> On Fri, Oct 07, 2016 at 08:01:43AM -0700, Eric Rescorla wrote: >> > After the discussion on PR #615, I took another pass at this with some >> > help from the research community. Please see: >> > >> > https://github.com/tlswg/tls13-spec/pull/672 >> > >> >> Also, an observation: This seems to interact in somewhat annoying way >> with stateless HRR. >> >> Basically, CH reconstruction no longer works properly, so one needs to >> have a freezeable PRF hash (and most implementations of hashes can not >> be frozen). >> > > I've been coming to the conclusion that CH reconstruction is a bad idea. > It's > tricky to get right and in the common case involves a lot of bloat in the > CH > (because of duplicating the Key Shares). I think we would be better off > just > removing it and replacing (rather than appending to ) KeyShares in HRR. > This was primarily intended as an attempt to avoid the need to continue > the hash in any case. >
See: https://github.com/tlswg/tls13-spec/pull/678 -Ekr > Best, > -Ekr > > > And server not supporting PSK does not help here. >> >> >> (BTW: Simlar thing comes up if you try to freeze an established TLS >> session: Currently you need to freeze a hash due to post-handshake >> authentication, even if you don't support it. Nothing else in TLS >> 1.2 or 1.3 needs hash freezing for established session). >> >> >> -Ilari >> > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls