On Wed, Oct 28, 2009 at 10:18:04AM +0000, Larry Zhu wrote: > There is a design issue in tls-unique. For vendors who implement TLS > in a separate library, the TLS library does not by itself control the > transport therefore it would not know if there is a new connection, so > that the current specification is not implementable for these vendors. > > It would be much easier to say the following instead: > > The client's TLS Finished message from the first handshake of the > session (note: TLS session, not connection, so that the channel > binding is specific to each TLS session regardless of whether session > resumption is used). > > And the updated text does reflect what has been deployed for > tls-unique. > > I would like to raise a red flag now. Needless to say that I will > start a discussion with the responsible AD and the rest of the editors > of this ID to fix this issue, and do so based on consensus. > > Pasi, please consider this issue blocking for now. Larry, It's hard to parse your message because the words "connection" and "transport" have multiple possible meanings in this context. In any case we've discussed this before, and the _current_ text is what we reached consensus on earlier. I believe the current text says what I think you meant to say, in your e-mail. Nico --
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.