Re: [TLS] Comments on EndOfEarlyData

Britta Hale <> Tue, 16 May 2017 21:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD4CC129B07 for <>; Tue, 16 May 2017 14:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.303
X-Spam-Status: No, score=-2.303 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W-rG7DZIieAp for <>; Tue, 16 May 2017 14:14:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 129FB1294B8 for <>; Tue, 16 May 2017 14:10:12 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4BEF480089; Tue, 16 May 2017 23:10:09 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xzRL32u-H_-A; Tue, 16 May 2017 23:10:09 +0200 (CEST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 49876480087; Tue, 16 May 2017 23:10:09 +0200 (CEST)
To: Eric Rescorla <>
References: <> <>
Cc: "" <>
From: Britta Hale <>
Message-ID: <>
Date: Tue, 16 May 2017 23:10:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------AD000A178C7664D319EE0289"
Archived-At: <>
Subject: Re: [TLS] Comments on EndOfEarlyData
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 May 2017 21:14:57 -0000

On 16. mai 2017 20:59, Eric Rescorla wrote:
>> However, this intuition is incorrect. Alerts signal the end-of-use of
>> keys, not the prohibition of further communication under other keys.
>> Keys should be deleted and no further data should be sent on the
>> connection.
> This last sentence seems to reinforce the motivating intuition here,
> namely that the alert signals the end of the *connection*, and so it's
> odd to have EOED indicate a key change within a connection.
Avoiding getting caught on the word "connection", EOED signals the end of key 
use like other alerts, which is the central issue. Notably, EOED does 
not signal key change, unlike a KeyUpdate message or Finished message - even 
the name indicates that it is for "end of data". Its behavior is fundamentally 
like an alert's, indicating only end-of-key use for application data. 

>> Specifically, the 0-RTT handshake is
>> followed by 0-RTT data and finally an EndOfEarlyData alert to end use of
>> that key, while in parallel the remainder of the handshake and
>> subsequent session key act almost as a further resumption (i.e. under a
>> different key).
> I can see how you could look at it this way, but I'm not sure that that's
> the natural way to look at it. If you're not doing DH, then these are
> very much derived from the same PSK and the same client-side
> nonce.
In that case, they are both then related to the master key of the previous 
session, which may well have ended with a close_notify, i.e. a properly 
finished key use signaled by an alert.