Re: [quicwg/base-drafts] Does a Retry really need to change the CID? (#2837)

David Schinazi <> Mon, 24 June 2019 16:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 152311201A0 for <>; Mon, 24 Jun 2019 09:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dmWRCw5NWjf3 for <>; Mon, 24 Jun 2019 09:45:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CC9DC12061C for <>; Mon, 24 Jun 2019 09:45:22 -0700 (PDT)
Date: Mon, 24 Jun 2019 09:45:21 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1561394721; bh=0x9eRqJvpNu8XsNP+MzBKbwyd8+fBUDlIUdiZtUuTyU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=OgQfAAvK5fgE8UVpsZotReVJvMV4RTgPRCtqpzuaxkpaROvnoGCcJK9adWNpiA5we 0bZNRkKdJAcEBamcajTOkJ12v08ZGulbc5w8Xtdwk6iA/NkZh+CcHa0pg7su92GtcQ r0P6MrV4izpEj2OxZhMCW0PIrVvs0UFFTi9P/jmU=
From: David Schinazi <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2837/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Does a Retry really need to change the CID? (#2837)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d10fe21e3b1f_2f7a3ff8c2acd960246930"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: DavidSchinazi
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Jun 2019 16:45:25 -0000

@ianswett The `original_connection_id` transport parameter ensures that part of the retry token is in the TLS transcript. If the retry token is protected by authenticated encryption (which it should) then transitively we already have tamper protection for the retry token. The issue here is that if the retry token is tampered with, then the connection is closed. But I don't see how changing the server connection ID during retry changes that though (as long as not changing the CID still requires sending the transport parameter).

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: