On Wed, Oct 12, 2016 at 3:57 PM, Eric Rescorla <e...@rtfm.com> wrote:
> The 0-RTT traffic key incorporates the ClientHello.Random which is tied
> into the full handshake.
Ok, so for the replayed early data to be accepted, an adversary would also
have to swap out CH.Random and the (Finished) message, which would alter
the server Finished message, resulting in a handshake failure. I think that
resolves my concern. Thanks.
TLS mailing list