Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

Dave Garrett <> Tue, 22 December 2015 02:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 346381AD0C6 for <>; Mon, 21 Dec 2015 18:33:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u6-2iTT1aOHo for <>; Mon, 21 Dec 2015 18:33:21 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF3091A872B for <>; Mon, 21 Dec 2015 18:33:20 -0800 (PST)
Received: by with SMTP id t125so144623127qkh.3 for <>; Mon, 21 Dec 2015 18:33:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=DnSrxGDCLfsNrm9hmpHDUs3kCT/K95wwVa/hFKeVXW4=; b=0KC8QLzIzbCtDsLh6XZtCGhxemhfKpBztPTiRD9egwJyisWNikuWA5wHAzyb3pO7eS +hyUuuxWD69AuNtbSqA6pO2fZsm2Bg6dxf6xpiZgCL2NWcDEpNVjNcys/pEqbG+72lIZ VI1BdVGx+EKS7swEHvfYzuAXAEYaxp5CsMRUXw7rdW4pxNRezGRBPRFAKKyzjK1CGO8H CyJX29GePUbdv7aT+LoWiiBPB0TXP1fFinjXmeC+pYO+EA9D93Od53ZotKdosUAMzopS Bmjrn5WdR3PwP/yp76oiZidOAeTqG5zQlBXhMfuOovyNhjFFCBcXMUr5oAq2emk8l2Kl ej7g==
X-Received: by with SMTP id f126mr28927180qkb.88.1450751600199; Mon, 21 Dec 2015 18:33:20 -0800 (PST)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id w16sm15295117qka.35.2015. (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 21 Dec 2015 18:33:19 -0800 (PST)
From: Dave Garrett <>
To:, Eric Rescorla <>
Date: Mon, 21 Dec 2015 21:33:17 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Dec 2015 02:33:22 -0000

On Monday, December 21, 2015 09:25:44 pm Christian Huitema wrote:
> > I was just going over this text today and realized it's kind of confusing
> > (and the whole "handshake_hash" abstraction is starting to be less useful
> > in light of the PR#316 reframing of the authentication block).
> Yes, the "handshake hash" is indeed confusing. Specifying something like "all messages up to <some point>" is simple enough. But there are several such points, used at different stages. Server Hello, Server certificate verify, Server Finished, Client certificate verify, Client finished.. It would be a bit more clear to give each of them its own name.

Along this same line, I'd suggest getting rid of "session_hash", at least as-is. Instead, just use "handshake_hash" for everything and specify what's included at each use. "Session hash" is just another term that has to be referenced, when it's just the final state of the handshake hash. The term doesn't really add anything unless every separate stage of the handshake hash was named separately (in which case, "handshake_hash_*" naming might be more clear)