The combination of DHE and TLS 1.3 session resumption via session tickets,
can destroy the forward secrecy property that DHE was intended to provide.
With the proposed removal of DHE-based 0-RTT from TLS 1.3, session
resumption is the mechanism by which 0-RTT connections are established.
When adopt
On Fri, Apr 8, 2016 at 6:13 PM, Bill Cox wrote:
> On Fri, Apr 8, 2016 at 1:50 PM, Jim Roskind wrote:
>
>> The combination of DHE and TLS 1.3 session resumption via session
>> tickets, can destroy the forward secrecy property that DHE was intended to
>> provide. With the proposed removal of DHE-
On Fri, Apr 8, 2016 at 1:50 PM, Jim Roskind wrote:
> If a symmetric-session-ticket-decryption-key was compromised by a server,
> as a result of a break-in, or a subpoena, then all traffic that depended on
> the session resumption tickets would be at risk. Moreover, a third party
> attacker that
On Fri, Apr 8, 2016 at 6:42 PM, Wan-Teh Chang wrote:
> On Fri, Apr 8, 2016 at 2:31 PM, Eric Rescorla wrote:
> >
> > ... TLS 1.3 supports two PSK-resumption modes:
> >
> > 1. Pure PSK, which has somewhat better security properties than in TLS
> 1.2
> > 2. PSK-ECDHE, which has similar security pro
Looks like this didn't make it out to the list. Forwarding
from my email address a message by Jon Solworth.
- Forwarded message from "Jon A. Solworth" -
Date: Fri, 8 Apr 2016 17:33:57 -0500
From: "Jon A. Solworth"
To: tls@ietf.org, Tanja Lange , "D. J. Bernstein"
, "W. Michael P
On Fri, Apr 8, 2016 at 10:26 PM, Tanja Lange
wrote:
> Looks like this didn't make it out to the list. Forwarding
> from my email address a message by Jon Solworth.
>
> - Forwarded message from "Jon A. Solworth"
> -
>
> Date: Fri, 8 Apr 2016 17:33:57 -0500
> From: "Jon A. Solworth"
> To:
