Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

[Eric Rescorla <ekr@rtfm.com>]

On Mon, Dec 21, 2015 at 5:49 PM, Christian Huitema <huitema@microsoft.com>
wrote:

> The handshake hash specification in section 7.1 says:
>

You're referring the editor's copy (WIP-11), right?



>   Where handshake_hash includes all messages up through the
>   server CertificateVerify message, but not including any
>   0-RTT handshake messages (the server's Finished is not
>   included because the master_secret is need to compute
>   the finished key).
>
> What are the 0-RTT handshake messages that should be excluded? The diagram
> in 6.2.2 shows the client hello and its extensions, the optional client
> cert and client cert verify, and a finished message. Presumably, the
> handshake hash does not exclude the client hello. What is the intent there?
> Is the sentence meant to exclude the 0-RTT cert, cert verify and finished
> messages?
>

I was just going over this text today and realized it's kind of confusing
(and the whole "handshake_hash" abstraction is starting to be less useful
in light of the PR#316 reframing of the authentication block).

Unless I'm confused (which is possible given the time of night),
the intention, as you say, is to separate out the 0-RTT handshake
messages i.e., (cert, cert verify, finished) from the 1-RTT computations.
However,  as indicated in S 6.3.3. and 6.3.4:

- The 0-RTT Certificate Verify covers the ClientHello and Certificate
  (as well as the cached messages from the server shown in the
  table in 6.3.4)
- The 0-RTT Finished includes the above messages plus the
  CertificateVerify.

Trying to figure out the best way to clarify this text. PRs welcome :)

-Ekr