On Tue, Oct 11, 2016 at 07:48:05PM -0700, Eric Rescorla wrote:
> On Tue, Oct 11, 2016 at 5:16 PM, Martin Thomson <martin.thom...@gmail.com>
> > On 12 October 2016 at 00:51, Eric Rescorla <e...@rtfm.com> wrote:
> > > See:
> > > https://github.com/tlswg/tls13-spec/pull/678
> > I'm convinced that this is the right change. Reconstruction was
> > always going to be brittle. I will note that I don't think that the
> > change gets the error codes right though. I explained why on the PR.
> Thanks, I'll look at this. I'll be merging this change (modulo your
> comments) Friday unless there is significant objection.
Well, if reject with in-list group is spurious or not depends on if
there is some hello-altering extension other than key share group
(it isn't if any other extension alters CH).
I also noticed another edge case: What is to prevent server from
omitting key share group (emitting a cookie, so the restart is
not spurious), presumably causing the client to blank its key_share
and then proceed to accept DH versus client's previously sent share?
(That kind of thing really plays hell if client has explicit list
of keypairs it considers active for connection).
TLS mailing list