On Tue, Mar 29, 2016 at 6:25 PM, Martin Thomson <[email protected]> wrote:
> On 30 March 2016 at 11:30, Colm MacCárthaigh <[email protected]> wrote: > > * How is the elapsed time on the wire authenticated? can't an attacker > > modify it and replay? > > It is authenticated by virtue of being part of the session transcript. > It will be authenticated by the Finished message included by the > client, by the key derivation, and ultimately by the remainder of the > 1RTT handshake. > But isn't that too late? If you have to wait for the client finished message before you can even decrypt the 0RTT section; what's the benefit? it's not "0RTT" any more. > > > * Should the difference really be 1RTT, or 1/2 RTT (well, really "TT" I > > guess) ? > > No. The server records the time that it generates the ticket. Then > that ticket travels to the client (1/2 RTT). At that point the > counter starts. Then, on resumption, the client stops the clock and > sends the message to the server (1/2 RTT). > Makes sense! -- Colm
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
