On Fri, Oct 07, 2016 at 08:01:43AM -0700, Eric Rescorla wrote: > After the discussion on PR #615, I took another pass at this with some > help from the research community. Please see: > > https://github.com/tlswg/tls13-spec/pull/672 >
Also, an observation: This seems to interact in somewhat annoying way with stateless HRR. Basically, CH reconstruction no longer works properly, so one needs to have a freezeable PRF hash (and most implementations of hashes can not be frozen). And server not supporting PSK does not help here. (BTW: Simlar thing comes up if you try to freeze an established TLS session: Currently you need to freeze a hash due to post-handshake authentication, even if you don't support it. Nothing else in TLS 1.2 or 1.3 needs hash freezing for established session). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls