That's a much better answer than I was looking for :)
That makes sense. The gap between theory and practice here is still something
that is worth spending some time on, but I can see how that is something that
we might want to keep out of this document. The goal here is simple: take a
PSK tha
On Thu, Sep 5, 2019 at 2:38 AM Watson Ladd wrote:
> I wish I understood the analysis of TLS 1.3 better, but a core feature
> of the protocol is compositionality: the keys from the handshake are
> fresh, unlike in TLS 1.2 where they were used to encrypt the Finished
> thus posing an obstacle to an
Hi Martin,
So I agree that on the micro-scale there is limited practical value to be
gained from adding this binding.
The theoretical benefits, which mean that the client and server agree that
PSK Importers are being used are nice, but on their own might not justify a
high-effort change.
However,
