As far as I can tell, secret [sender]_handshake_traffic_secret is computed over transcript CH || SH or CH || HRR || CH || SH. (A server can compute their secret once they've computed SH, whereas a client must wait until they've received SH before computing their secret.) Secret server_application_traffic_0 is computed over an extended transcript which additionally includes EE, (optionally) CR, (optionally) CT & CV, and FIN, and secret client_application_traffic_0 further extends that transcript to include (optionally) EndOfEarlyData, (optionally) CT, (optionally) CV, and FIN. Is that right?
Best regards, Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls