David Benjamin <[email protected]> wrote: > Once you've gotten as far as to switch to TLSCiphertext, I don't see a > reason not to enforce. Keying on versions is problematic (which is why we > avoided a transition to enforcement), but keying on whether the record is > encrypted seems fine. I think it just didn't occur to us to base it on > that. :-) >
Since this field isn't included in the additional_data of the AEAD in TLS 1.3 any more, it isn't authenticated. That means an active MitM can use this to transport up to 2 bytes of information hop-to-hop if the receiver doesn't check it. That seems like a good reason to check it, and also to check TLSCiphertext.opaque_type is application_data. Assuming this is the reason, the reasoning should be explicitly called out because it is non-obvious. If that isn't a reason to do the check, then I don't think there's any reason to mandate that implementations do it. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
