Hi Ben, Thanks for your note and for your efforts on the tutorial!
On Wed, Apr 29, 2020 at 5:43 AM Ben Smyth <resea...@bensmyth.com> wrote: > Section 4.2.10 requires a server receiving early data to behave in ways > including (p53): > > * Ignore the extension and return a regular 1-RTT response. The server > then skips past early data by attempting to deprotect received records > using the handshake traffic key, discarding records which fail > deprotection... > > * Request that the client send another ClientHello by responding with a > HelloRetryRequest... The server then ignores early data by skipping all > records with an external content type of "application_data"... > > What are the use cases for each behaviour? > I expect that the first response will be the ordinary one. However, in some cases you will be forced to employ the second one because it is not possible to send a SH. For instance, consider the case where the server has been reconfigured and no longer accepts the DH group that the client employs in the CH. In that case, it will have to send HRR. > And why does the former rely on deprotecting, when checking record content > types is surely more efficient? > Unfortunately, the record types are encrypted, and this will not work. Best, -Ekr > (I'm extending my TLS 1.3 tutorial -- > https://bensmyth.com/publications/2019-TLS-tutorial/ -- to include > discussion of early data and I'm struggling to understand the rationale > behind these two behaviours.) > > > Best regards, > > Ben > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
