On Fri, Jan 30, 2026 at 12:46:40PM +0900, Kazu Yamamoto (山本和彦) wrote:
> But RFC 8879 says:
>
> After decompression, the Certificate message MUST be processed as
> if it were encoded without being compressed.
In my opinion the quoted text is not ambiguous, and no errata is
necessary.
First, RFC 8879 does not change how TLS 1.3 computes its transcripts.
More on this below.
Second, the quoted sentence is superfluous and unnecessary. What
"processing" does one do with the Certificate message? One validates
the certificate. But RFC 8879 does not provide a way to validate
compressed certificates apart from decompressing them and then
validating them as usual. And what other validation method could one
design other than decompress then validate as usual? Therefore the
quoted sentence was never necessary: because it's obvious.
Third, the next sentence in the RFC says:
[...]. This way, the parsing and
the verification have the same security properties as they would have
in TLS normally.
but one does use "parsed" messages to compute the TLS handshake
transcript hash. So clearly the first sentence would not be consistent
with any intent to change the way the transcript hash is computed. More
below.
> I think the following original interpretation is possible for the
> content:
>
> Transcript-Hash(Handshake Context, Certificate)
RFC 8879 does not change how TLS 1.3 computes its transcripts. Nor
should it. And if it did it would have to be explicit about it.
The point of the transcript being
Transcript-Hash(M1, M2, ... Mn) = Hash(M1 || M2 || ... || Mn)
is that M1, M2, .., Mn are the N messages sent / received _as they are
sent or received_ without any alterations. The whole point of the
transcript hash is to _detect alterations_. Therefore no compression of
any part of the handshake should alter the Transcript-Hash() function.
The handshake transacript is such a critical and core design point of
TLS that, had the Internet-Draft preceding RFC 8879 meant to alter the
Transcript-Hash() function then surely it would never have managed WG
consensus.
Nico
--
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
