d73b783 | ekr | 22 May 2016, 19:29:15 UTC | Merge pull request #468 from ekr/cookie_for_hrr Cookie for hrr | 22 May 2016, 19:29:15 UTC |
39ce827 | EKR | 22 May 2016, 18:45:20 UTC | Revise cookie | 22 May 2016, 18:45:20 UTC |
2f439c0 | EKR | 21 May 2016, 16:43:03 UTC | Add cookie to HRR | 22 May 2016, 18:42:34 UTC |
f4b0a3d | EKR | 16 November 2015, 18:27:45 UTC | Fix conflict | 22 May 2016, 18:42:34 UTC |
5deba7b | ekr | 22 May 2016, 18:41:38 UTC | Merge pull request #476 from xiaoyinl/patch-1 Change the HTTP/1.1 reference from RFC7231 to 7230 | 22 May 2016, 18:41:38 UTC |
6f5b930 | EKR | 22 May 2016, 18:41:17 UTC | I before E, except after C | 22 May 2016, 18:41:17 UTC |
4716302 | EKR | 22 May 2016, 18:40:36 UTC | Merge remote-tracking branch 'davegarrett/patch-1' | 22 May 2016, 18:40:36 UTC |
c9ed99f | ekr | 22 May 2016, 18:36:04 UTC | Merge pull request #474 from ekr/editorial_draft_13 Editorial | 22 May 2016, 18:36:04 UTC |
a5989fb | xiaoyinl | 22 May 2016, 07:02:24 UTC | Change the HTTP/1.1 reference from RFC7231 to 7230 Now I think it is better to use RFC 7230 as a reference of HTTP/1.1 in Client Tracking Prevention section, since RFC 7230 talks about connections, while RFC 7231 talks about the header fields, status codes, etc. | 22 May 2016, 07:02:24 UTC |
e57106c | Dave Garrett | 22 May 2016, 01:06:15 UTC | relax and focus error condition | 22 May 2016, 01:06:15 UTC |
dbb6b47 | EKR | 21 May 2016, 21:48:37 UTC | Editorial | 21 May 2016, 22:03:04 UTC |
164d8c3 | ekr | 21 May 2016, 19:44:01 UTC | Merge pull request #469 from ekr/issue441_clarify_signature_schemes Code point groups. Fixes #441 | 21 May 2016, 19:44:01 UTC |
3f3b4a5 | EKR | 21 May 2016, 19:42:05 UTC | Code point groups. Fixes #441 | 21 May 2016, 19:42:30 UTC |
0a4f954 | EKR | 20 May 2016, 17:46:21 UTC | Update change log | 21 May 2016, 16:20:55 UTC |
282c130 | ekr | 21 May 2016, 16:19:33 UTC | Merge pull request #465 from ekr/enhanced_new_session_ticket Expanded NewSessionTicket message | 21 May 2016, 16:19:33 UTC |
5994b44 | EKR | 21 May 2016, 16:18:57 UTC | Clarification per MT | 21 May 2016, 16:18:57 UTC |
0eba9cc | EKR | 27 April 2016, 23:19:52 UTC | Expanded NewSessionTicket message | 21 May 2016, 16:14:58 UTC |
db8f6c2 | ekr | 21 May 2016, 16:10:58 UTC | Merge pull request #461 from squarooticus/patch-1 Add implementation note about client tracking | 21 May 2016, 16:10:58 UTC |
8cadd60 | Kyle Rose | 20 May 2016, 17:52:32 UTC | Add informative reference to RFC7231. | 20 May 2016, 17:52:32 UTC |
2e7c11c | ekr | 20 May 2016, 17:44:06 UTC | Merge pull request #462 from davidben/dhe-pad2 Preserve leading zeros in Diffie-Hellman secrets. | 20 May 2016, 17:44:06 UTC |
1a58e83 | ekr | 20 May 2016, 17:43:36 UTC | Merge pull request #463 from davidben/redundant-length Remove redundant length prefix from KeyShareEntry.key_exchange contents. | 20 May 2016, 17:43:36 UTC |
254ee8b | ekr | 20 May 2016, 17:40:49 UTC | Merge pull request #454 from ekr/WIP_context_for_resumption Wip context for resumption | 20 May 2016, 17:40:49 UTC |
418535e | EKR | 20 May 2016, 17:38:22 UTC | Hash the resumption context | 20 May 2016, 17:38:22 UTC |
18398bb | EKR | 20 May 2016, 17:10:28 UTC | Editorial cleanup | 20 May 2016, 17:10:28 UTC |
3ebc50c | EKR | 20 May 2016, 16:23:58 UTC | Minor editorial from Garrett | 20 May 2016, 16:23:58 UTC |
b92f211 | ekr | 20 May 2016, 14:51:16 UTC | Merge pull request #464 from FiloSottile/patch-1 Fix typo in Encrypted Extensions | 20 May 2016, 14:51:16 UTC |
705ce67 | Filippo Valsorda | 20 May 2016, 01:46:00 UTC | Fix typo in Encrypted Extensions | 20 May 2016, 01:46:00 UTC |
be7d190 | Kyle Rose | 19 May 2016, 21:12:10 UTC | Substitute with Martin's language | 19 May 2016, 21:12:10 UTC |
be66d8e | David Benjamin | 19 May 2016, 19:32:54 UTC | Remove redundant length prefix from KeyShareEntry.key_exchange contents. Only the outer length prefix is necessary, not the inner one. Named groups can just as easily take a byte string with known length rather than need to parse fields out. This is consistent with the definition of DigitallySigned.signature; the signature is an opaque field which is passed as a byte string into the corresponding signature algorithm. The definition of rsa_pss_sha256 does not define an inner u16 length prefix. It simply takes the opaque byte string and passes it into the rsa_pss_sha256 function. (In fact, this change means KeyShareEntry and DigitallySigned structures exactly parallel.) This also fixes some references to non-existent structures like ECPoint and dh_Yc. (Those seem to be remnants of TLS 1.2.) | 19 May 2016, 20:06:02 UTC |
6af2cd0 | David Benjamin | 19 May 2016, 18:48:11 UTC | Preserve leading zeros in Diffie-Hellman secrets. Every other use of Diffie-Hellman preserves leading zeros. See PKCS #3 section 8.3, RFC 2631 section 2.1.2, and SP 800-56A section C.1. I assume X9.42 says something similar to RFC 2631, but I do not have a copy of it. This discrepancy has caused sporadic interoperability issues in TLS 1.2's DHE construction, so clearly it's confusing. Moreover, having variable-length secrets is generally dubious. It exposes an unnecessary side channel. Since TLS 1.2's server-fiat DHE and TLS 1.3's negotiated DHE are already very different animals (1.3 DHE is more like 1.2 ECDHE than anything else), change it to the more reasonable scheme going forward. This is not compatible with 1.2 and does risk a different set of sporadic interop issues if implementations do not realize this changed, but we already have those with 1.2 implementations today. | 19 May 2016, 19:21:32 UTC |
9f96c9c | Kyle Rose | 19 May 2016, 18:59:00 UTC | Add implementation note about client tracking Session tickets enable client tracking by passive observers if they are used more than once. This change adds guidance to implementors for preventing this. | 19 May 2016, 18:59:00 UTC |
3dabad5 | ekr | 19 May 2016, 01:59:56 UTC | Merge pull request #460 from davegarrett/patch-1 minor followup to PR #459 | 19 May 2016, 01:59:56 UTC |
221e941 | Dave Garrett | 19 May 2016, 01:16:09 UTC | tweak pitfalls: unknown or no extensions | 19 May 2016, 01:16:09 UTC |
747908b | EKR | 19 May 2016, 00:17:38 UTC | Rename | 19 May 2016, 00:17:38 UTC |
b65c4a7 | EKR | 10 May 2016, 17:28:02 UTC | Checkpoint for context | 19 May 2016, 00:15:39 UTC |
b4f42cb | EKR | 19 May 2016, 00:08:02 UTC | Rename | 19 May 2016, 00:08:02 UTC |
98f73c2 | EKR | 19 May 2016, 00:03:23 UTC | Reduce unnecessary expand/extract pairings | 19 May 2016, 00:03:23 UTC |
a63ccbb | ekr | 18 May 2016, 22:19:40 UTC | Merge pull request #458 from davidben/dhe-pad Specify whether DHE public keys are zero-padded. | 18 May 2016, 22:19:40 UTC |
bd069ba | ekr | 18 May 2016, 22:08:05 UTC | Merge pull request #459 from davidben/more-pitfalls Add some more implementation pitfalls. | 18 May 2016, 22:08:05 UTC |
dcee25c | David Benjamin | 18 May 2016, 14:11:35 UTC | Add some more implementation pitfalls. There are many fields where unknown values are supposed to be ignored and not a fatal error. Experience with buggy TLS 1.2 servers suggests this is somehow not obvious. Switch the mention of omitting the extensions field completely (which is no longer possible) with unknown extensions. Also explicitly call out ClientHello version processing as this historically has been a huge ecosystem failure. | 18 May 2016, 21:58:53 UTC |
6c8ff2c | David Benjamin | 17 May 2016, 19:11:49 UTC | Specify whether DHE public keys are zero-padded. TLS 1.2 did not specify this and some implementations have sporadic interoperability issues as a result. Specify that, in TLS 1.3, public keys should be zero-padded. This is believed to be the more compatible TLS 1.2 variant, and having cryptographic messages be fixed-width fields where possible (not that it matters for public keys) seems preferable to saving one byte 1/256 of the time. | 17 May 2016, 19:38:45 UTC |
7c6fc45 | EKR | 16 May 2016, 00:54:59 UTC | Editorial | 16 May 2016, 00:54:59 UTC |
ee61e50 | EKR | 16 May 2016, 00:14:36 UTC | Clean up | 16 May 2016, 00:14:36 UTC |
96dc672 | EKR | 15 May 2016, 23:47:25 UTC | Editorial | 15 May 2016, 23:47:27 UTC |
a3db4d1 | EKR | 15 May 2016, 23:43:40 UTC | Restore indications | 15 May 2016, 23:47:27 UTC |
98e71bf | EKR | 15 May 2016, 23:40:56 UTC | MT, Garrett's comments, #1 | 15 May 2016, 23:47:27 UTC |
ec1e6b6 | EKR | 11 May 2016, 10:58:58 UTC | Cherry-pick | 15 May 2016, 23:47:27 UTC |
341fb54 | EKR | 10 May 2016, 14:56:09 UTC | WIP: new key schedule | 15 May 2016, 23:47:27 UTC |
3b47c46 | ekr | 15 May 2016, 23:28:35 UTC | Merge pull request #439 from davidben/0-rtt-compat Add a section on 0-RTT backwards compatibility. | 15 May 2016, 23:28:35 UTC |
9851e16 | ekr | 15 May 2016, 23:26:59 UTC | Merge pull request #449 from ekr/encrypted_extensions_for_client Encrypted extensions for client | 15 May 2016, 23:26:59 UTC |
2396cf8 | ekr | 13 May 2016, 15:56:23 UTC | Merge pull request #457 from jwilk/spelling Remove duplicated words and add missing commas | 13 May 2016, 15:56:23 UTC |
37a03ec | Jakub Wilk | 13 May 2016, 12:02:18 UTC | Add missing commas in conditional sentences | 13 May 2016, 12:02:18 UTC |
c3c5853 | Jakub Wilk | 13 May 2016, 11:51:13 UTC | Remove duplicated words | 13 May 2016, 11:51:13 UTC |
ad3125c | ekr | 11 May 2016, 11:44:57 UTC | Merge pull request #448 from ekr/certificate_status_xtn Move CertificateStatus to an extension | 11 May 2016, 11:44:57 UTC |
bdb0058 | EKR | 02 May 2016, 20:38:31 UTC | Move CertificateStatus to an extension | 11 May 2016, 11:39:06 UTC |
eeec465 | EKR | 11 May 2016, 11:34:40 UTC | Some clean up | 11 May 2016, 11:34:40 UTC |
d757991 | David Benjamin | 10 May 2016, 18:08:53 UTC | ekr comments | 10 May 2016, 18:08:53 UTC |
e64c039 | EKR | 10 May 2016, 10:54:26 UTC | Update per MT's comments | 10 May 2016, 10:54:26 UTC |
111da27 | EKR | 03 May 2016, 19:51:38 UTC | 0-RTT Encrypted Extensions + ticket_age | 07 May 2016, 14:01:37 UTC |
4b92793 | EKR | 07 May 2016, 13:57:20 UTC | Add open issue marker | 07 May 2016, 13:57:20 UTC |
b7c3fb9 | EKR | 29 April 2016, 02:44:40 UTC | Cleanup | 07 May 2016, 13:55:38 UTC |
0405d8f | EKR | 28 April 2016, 21:34:42 UTC | Fix mis-edit for handshake context | 07 May 2016, 13:55:38 UTC |
6315ded | EKR | 28 April 2016, 19:20:39 UTC | MT's comments | 07 May 2016, 13:55:38 UTC |
d8551a7 | EKR | 26 April 2016, 00:50:08 UTC | Remove 0-RTT (EC)DHE and 0-RTT client authentication | 07 May 2016, 13:55:38 UTC |
47a5f34 | EKR | 07 May 2016, 11:50:10 UTC | Update extensions table | 07 May 2016, 11:50:10 UTC |
d6b0bb3 | EKR | 02 May 2016, 20:13:16 UTC | Update ChangeLog | 02 May 2016, 20:19:37 UTC |
b87c2af | ekr | 02 May 2016, 19:46:01 UTC | Merge pull request #446 from ekr/issue415_supported_groups_in_serverhello Allow server to send supported_groups. Fixes #415 | 02 May 2016, 19:46:01 UTC |
cb70b98 | EKR | 28 April 2016, 19:09:37 UTC | Updates per comments from MT, garrett | 28 April 2016, 19:09:37 UTC |
7e3f37f | EKR | 27 April 2016, 23:26:41 UTC | Allow server to send supported_groups. Fixes #415 | 27 April 2016, 23:27:01 UTC |
0fbdf48 | ekr | 26 April 2016, 00:40:20 UTC | Merge pull request #436 from beurdouche/patch_typo7 Patch some typos, missing words and punctuations | 26 April 2016, 00:40:20 UTC |
5cd5f29 | David Benjamin | 18 April 2016, 21:41:02 UTC | Change SHOULD to RECOMMENDED per review comment | 18 April 2016, 21:41:02 UTC |
64bb1f4 | David Benjamin | 18 April 2016, 18:29:43 UTC | Various tweaks in response to comments. | 18 April 2016, 18:29:43 UTC |
ed89759 | ekr | 13 April 2016, 17:51:57 UTC | Merge pull request #442 from s-zanella/patch-1 client_shares MAY be empty, the floor should be 0 | 13 April 2016, 17:51:57 UTC |
614ec56 | Santiago Zanella-Beguelin | 13 April 2016, 17:40:40 UTC | client_shares MAY be empty, the floor should be 0 | 13 April 2016, 17:40:40 UTC |
530b081 | David Benjamin | 07 April 2016, 17:51:28 UTC | Add a section on 0-RTT backwards compatibility. 0-RTT is *not* backwards compatible because of the external application data records. Add some guidance for both clients and servers to mitigate this. Ideally the server SHOULD could be a MUST and that would be the end of it, but I do not expect all servers to get this right and so clients will want a fallback. This also lets us provide guidance on the exact client-side fallback trigger and explicitly say not to change the version. Conveniently, there is a reliable signal available. (Historically, clients have used network errors or generic protocol errors as fallback triggers which masks new server bugs.) | 11 April 2016, 20:37:23 UTC |
3fcb2bc | Benjamin Beurdouche | 28 March 2016, 10:37:24 UTC | Capitalize a must and minor rephrase | 28 March 2016, 10:37:24 UTC |
2f3ddca | Benjamin Beurdouche | 24 March 2016, 20:21:19 UTC | Fix typos, missing words and punctuation | 24 March 2016, 20:21:19 UTC |
5cdf8b5 | Benjamin Beurdouche | 24 March 2016, 18:54:47 UTC | Trim endlines | 24 March 2016, 18:54:47 UTC |
70f0e52 | ekr | 22 March 2016, 22:44:50 UTC | Merge pull request #435 from davegarrett/patch-2 followup tweaks to PR #434 | 22 March 2016, 22:44:50 UTC |
85f0d53 | Dave Garrett | 22 March 2016, 22:22:55 UTC | minor tweaks to SignatureScheme enum Move DSA values to under the reserved heading, which avoids extra whitespace showing in the pruned version. Also drop the periods after the comments, as they're not sentences. | 22 March 2016, 22:22:55 UTC |
3975fc4 | ekr | 22 March 2016, 16:04:29 UTC | Merge pull request #434 from davegarrett/patch-1 append "_RESERVED" to DSA SignatureScheme value names | 22 March 2016, 16:04:29 UTC |
eeb4bfd | Dave Garrett | 22 March 2016, 04:34:14 UTC | append "_RESERVED" to DSA SignatureScheme value names This appends a "_RESERVED" to each name for the DSA values in the SignatureScheme enum to have them hidden up top and only shown in the appendix, as they're obsolete and their full description was removed in a prior changeset (https://github.com/tlswg/tls13-spec/commit/bed72816a2cbcb2695718c3936c44b78498e07da). | 22 March 2016, 04:34:14 UTC |
24d0f54 | EKR | 22 March 2016, 00:54:41 UTC | Cleanup | 22 March 2016, 00:54:41 UTC |
5205602 | EKR | 22 March 2016, 00:43:39 UTC | Update changelog | 22 March 2016, 00:43:39 UTC |
19ec6b5 | EKR | 22 March 2016, 00:42:39 UTC | Merge branch 'master' of github.com:tlswg/tls13-spec | 22 March 2016, 00:42:39 UTC |
bed7281 | EKR | 22 March 2016, 00:42:35 UTC | Clean up | 22 March 2016, 00:42:35 UTC |
4a7ad7a | ekr | 22 March 2016, 00:22:13 UTC | Merge pull request #431 from ekr/issue282_exporters Define exporter. Fixes #282 | 22 March 2016, 00:22:13 UTC |
c3fc3c2 | EKR | 21 March 2016, 20:51:05 UTC | Add subodh iyengar to acknowledgements | 21 March 2016, 20:51:23 UTC |
4160f93 | ekr | 21 March 2016, 20:40:31 UTC | Merge pull request #432 from siyengar/patch-1 Clarify verification requirements of KeyUpdate | 21 March 2016, 20:40:31 UTC |
a7d7d3d | Subodh Iyengar | 21 March 2016, 20:38:35 UTC | Update draft-ietf-tls-tls13.md Fix spelling error | 21 March 2016, 20:38:35 UTC |
1709197 | EKR | 21 March 2016, 20:35:22 UTC | Update acknowledgements to add davidben and alphabetize nick | 21 March 2016, 20:35:22 UTC |
ad0f819 | Subodh Iyengar | 21 March 2016, 20:34:18 UTC | Clarify verification requirements of KeyUpdate The current wording of KeyUpdate a bit ambiguous, and leaves out certain areas needed for enforcement and might result in a security issue if not implemented correctly A sender of the keyupdate has no choice of which key to encrypt the keyupdate with, however the recipient does. It has 2 choices: a. Use old key and reset the sequence number after acking the keyupdate b. Use the new key for the key update and reset the sequence number before acking the keyupdate. This distinction is very important for security. If a client uses option b), this causes a security vuln. Because the sequence numbers are reset after a key update, an attacker could truncate (application data) records from the old stream, wait for the key update from the client, and then let new packets through. The client or server has no way of figuring out this has happened. If a receiver verifies that the KeyUpdate is received with the old key before accepting messages encrypted with the new key, then this attack is prevented. | 21 March 2016, 20:34:18 UTC |
fec25c3 | EKR | 21 March 2016, 20:33:20 UTC | Changelog | 21 March 2016, 20:33:20 UTC |
5c31374 | EKR | 21 March 2016, 20:24:21 UTC | Define handshake_hash. Fixes #416 | 21 March 2016, 20:24:21 UTC |
783b0ac | EKR | 21 March 2016, 20:10:44 UTC | Define exporter. Fixes #282 | 21 March 2016, 20:10:44 UTC |
c5f95dc | EKR | 21 March 2016, 19:16:06 UTC | Revert "Fixkey generation table" This reverts commit 376b774862144dc72df1b3353a6292e156a0b805. | 21 March 2016, 19:16:06 UTC |
da3bd66 | EKR | 21 March 2016, 18:35:14 UTC | Indicate EMS. Fixes #417 | 21 March 2016, 18:35:14 UTC |
376b774 | EKR | 21 March 2016, 18:00:06 UTC | Fixkey generation table | 21 March 2016, 18:00:06 UTC |
a84901c | EKR | 21 March 2016, 17:46:13 UTC | Clarify CertificateVerify calculation. Fixes #407 | 21 March 2016, 17:46:13 UTC |
67664cc | EKR | 21 March 2016, 17:08:28 UTC | Allow late tickets. Fixes #411 | 21 March 2016, 17:08:28 UTC |