The problem with the second option is that it's not safe to send the 0-RTT Finished on the wire if you don't know that the other side is 1.3; that's an assumption we made about 0-RTT but not one we want to make for PSK-resumption.
-Ekr On Tue, Jul 19, 2016 at 3:46 PM, Ilari Liusvaara <[email protected]> wrote: > Thinking about this... > > One option would be like 2 on the slides (the overstriked one!), except: > > - The message is synthethized, not actually sent on wire (but still > logged). > - It only happens after the last ClientHello. > - It uses the actual PSK, even if not #0. > > > Maybe I should have listened to the talk more carefully, but the > reason I got for overstriking the second option was that it is > unimplementable in practice. > > > Of course, dunno if the changes would actually fix the problems > with PSK contexts... > > > > -Ilari > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
