Dumb mode question

[meepbear *]

> > If a server receives an invalidate_handle it does know about then it
> > should be not answer the check_authentication but simply return an error
> > as well.
>
>No!  The whole point of invalidate_handle was for when servers forgot
>their secrets.  If you send a server a gibberish invalidate_handle, it has
>to confirm that it knows nothing about it.
I suggested the opposite though.

An "attacker" has three (easy) choices to tamper with an invalidate_handle: 
1) make one up and neither will know about it, 2) use one the server knows 
about but the consumer doesn't, 3) use one that both the consumer and server 
know about.
With the normal flow of the protocol, none of the above should ever occur 
"naturally". The only way a "regular mode" consumer could fallback to "dumb 
mode" is when the server forgets about the handle and then the consumer is 
the only one that knows about it.

On the consumer side: it sees an invalidate_handle it doesn't know about so 
it returns an error (elminates 1 and 2).
On the server side: it knows it would never return an invalidate_handle on 
an handle it knows about (and hasn't expired yet) so it can safely return an 
error without breaking anything when it sees one, eliminating 3.

The legitimate case is when the server forgets about an handle in which case 
the consumer won't complain since it knows about the handle. The server 
won't complain either since it doesn't know the handle and will acknowledge 
that it doesn't and validate the "check_authentication" as it's supposed to.