On Wed, Jan 27, 2016 at 2:44 PM Ilari Liusvaara
wrote:
> On Wed, Jan 27, 2016 at 07:28:47PM +, David Benjamin wrote:
> > On Tue, Jan 26, 2016 at 10:32 PM Martin Thomson <
> martin.thom...@gmail.com>
> > wrote:
> > >
> > > I get your point, but I don't see that as a simplification. In my
> > > mind, post-handshake client authentication doesn't happen. Or, I
> > > don't see it being commonplace.
> >
> > But the only cases where this flow is useful (server sends non-zero
> > unauthenticated bytes at t=0.5 before the authenticated bytes at t=1.5)
> has
> > all the same pitfalls of mid-stream auth (specifically that the stream's
> > authentication switches partway through), so I don't see what avoiding
> > mid-stream auth is supposed to gain.
>
> I don't think the two situations have the same problems:
> - "Server 0-RTT" has _recipient_ identity change.
> - "Dynamic reauth" has _sender_ identity change.
>
> You have more concrete examples of things going wrong with "server
> 0-RTT"? Because I have major problems coming up with troublesome
> cases.
The client also has some 0-RTT data which, in the server 0-RTT case, the
server reports was accepted and processed. That all is associated with the
first identity rather than the second. So I believe we have sender identity
change in both cases.
David
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
