A few things I noticed while reading the draft to prepare for today’s session:
We talk in a couple places about datagram protocols being “vulnerable” or “susceptible” to DoS attacks, which leads me to at least partially read that as meaning that the protocol’s own service will be disrupted; as we know, this is not the whole story, as the reflection/amplification part can facilitate DoS attacks targeted at other services/networks. So perhaps some rewording is in order. We should catch up to the ClientHello1 being included in the transcript hash as the synthetic message_hash message, so the full transcript of it need not be stored in the HelloRetryRequest. On page 20, second paragraph, please be clear that it is the message_seq vs. the record sequence_number that must match next_receive_seq. I also made a note of the different key update behavior of this draft vs. draft-ietf-tls-tls13-19, with the epoch change and lockstep rekeying between peers. That was in the presentation as well, but I haven’t had my thoughts settle into which flavor I prefer, yet, though the explicit KeyUpdate does have some advantages. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
