The processing of keys *can* happen between T2 and T3, so its effects are theoretically invisible.
But there is nothing that says we have to return the NTS response in the next packet. If a client only wants to use authenticated packets, for some definition of authenticated, then either the initial packets will need to be protected by a symmetric key MAC, or the client will either ignore the packets completely or save them up until a subsequent trusted packet can be used to lend credence to the earlier unauthenticated timestamps. H _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
