Re: RFC 5929 tls-unique clarification?

On Fri, Oct 15, 2010 at 02:12:43PM +0200, Simon Josefsson wrote:
> I'm implementing an API for RFC 5929 in GnuTLS and I'm having some
> troubles with the specification.  Section 3.1 says:
> 
>    Description: The first TLS Finished message sent (note: the Finished
>    struct, not the TLS record layer message containing it) in the most
>    recent TLS handshake of the TLS connection being bound to (note: TLS
>    connection, not session, so that the channel binding is specific to
>    each connection regardless of whether session resumption is used).
> 
> I don't follow the need for a distinction between connection and session
> here -- a TLS session resumption consists of a new TLS handshake and it
> exchanges new Finished messages.

Some people thought that we needed to be clear about this in case
someone thought that the CB for a TLS connection were those of the
handshake that created the session.  You can see that that would be bad.

> To be precise, is it the case that, for a resumed TLS session, the
> tls-unique CB is
> 
> 1) the first TLS Finished message sent in the initial full TLS
> handshake?
> 
> or
> 
> 2) the first TLS Finished message sent in the abbreviated TLS handshake?

(2).

> In the former case, the text appears to be wrong because it refers to
> the most recent TLS handshake and not the initial full TLS handshake,
> and in the second case the distinction between session and connection
> does not seem to matter because the tls-unique CB data is always using
> the first Finished message exchanged in the latest TLS handshake?

See above.