On Fri, Oct 9, 2015 at 3:23 PM, Short, Todd <[email protected]> wrote:
> > > On Oct 9, 2015, at 8:48 AM, Karthikeyan Bhargavan < > [email protected]> wrote: > > - There is a 1/(2^N) chance that valid connections to TLS 1.2 servers will > be dropped by > TLS 1.3 clients, because of this proposal. This only happens for > servers that do not > use the unix timestamp (the current timestamp is greater than 0304xxxx). > Still, we need to carefully choose N so that this risk of connection > dropping is acceptable. > > > I’m thinking this chance can be reduced to 0. > Wouldn’t a TLSv1.3 client be able to recognize that it’s connecting to a > TLSv1.2 server, and not parse the first N bits of the server random? > The idea is to distinguish this case from the case where they are connecting to an attacker pretending to be a TLS 1.2 server. -Ekr -- > -Todd Short > // [email protected] > // "One if by land, two if by sea, three if by the Internet." > >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
