Jim Schaad wrote:
>> I suggest writing:
>>
>> TLS 1.3 introduced early application data which is not used in EAP-TLS. A
>> server which receives an "early_data" extension MUST ignore the extension
>> or respond with a HelloRetryRequest as described in Section 4.2.10 of RFC
>> 8446.
>
> That is better, an additional note that new session tickets MUST NOT include
> the early data extension would also be relevant.
I don't think this sentence works... according to Figure 3 of RFC 8446, the TLS
server (but not the TLS client) can send early data even if the client did not
provide a early_data extension. The text in RFC 8446 says very little about the
[Application Data*] from the TLS server....
Client Server
Initial Handshake:
ClientHello
+ key_share -------->
ServerHello
+ key_share
{EncryptedExtensions}
{CertificateRequest*}
{Certificate*}
{CertificateVerify*}
{Finished}
<-------- [Application Data*]
{Certificate*}
{CertificateVerify*}
{Finished} -------->
<-------- [NewSessionTicket]
[Application Data] <-------> [Application Data]
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
