Hi all, On ACK protection, DTLS 1.3 Draft 37 says in Section 7:
ACK records MUST be sent with an epoch that is equal to or higher than the record which is being acknowledged. Implementations SHOULD simply use the current key. Since the update of incoming and outgoing keying material is independent, I don't know how this can be enforced: After a sequence of key updates, the incoming epoch might be 42 while the outgoing epoch is 17. What problems arise if one replaces the paragraph by the following: ACK records MUST be sent with the current key, irrespective of the epoch that is used to protect the record that is being acknowledged. It appears that the paragraph is particularly relevant for the case of ACKing a ServerHello, which as far as I understand shall happen with epoch 1. Since 'current key' doesn't appear unambiguously defined at the point of the client processing the ServerHello, it might be worth spelling out this case explicitly. Best, Hanno IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
