On Mon, May 24, 2021, at 14:19, Hanno Becker wrote: > Yep, that's clear - my question was whether the DTLS 1.3 Spec should > contain an explicit > reminder of that, e.g. when it claims that cryptographic material is > uniquely identified > by epochs. This wouldn't be true if you could send 0-RTT after an HRR, > in which case > you'd end up with an overloading of epoch 1.
It's not necessarily the case that you would end up with an insecure protocol in this case. It depends on how the keys for epoch 1 are derived. As TLS equates HRR with early data rejection, there is no answer to the question of what keys would be used after HRR. If you mean to refer to "Note this epoch is skipped if the client does not offer early data" it seems like you could adjust this to say "Note this epoch is skipped if the client does not offer **or the server rejects** early data". _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
