Jim Schaad wrote: >> I suggest writing: >> >> TLS 1.3 introduced early application data which is not used in EAP-TLS. A >> server which receives an "early_data" extension MUST ignore the extension >> or respond with a HelloRetryRequest as described in Section 4.2.10 of RFC >> 8446. > > That is better, an additional note that new session tickets MUST NOT include > the early data extension would also be relevant.
I don't think this sentence works... according to Figure 3 of RFC 8446, the TLS server (but not the TLS client) can send early data even if the client did not provide a early_data extension. The text in RFC 8446 says very little about the [Application Data*] from the TLS server.... Client Server Initial Handshake: ClientHello + key_share --------> ServerHello + key_share {EncryptedExtensions} {CertificateRequest*} {Certificate*} {CertificateVerify*} {Finished} <-------- [Application Data*] {Certificate*} {CertificateVerify*} {Finished} --------> <-------- [NewSessionTicket] [Application Data] <-------> [Application Data] _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu