On Fri, Jul 15, 2016 at 12:28:18AM +, Andrei Popov wrote:
> Naïve question: why not simply get a constrained CA certificate and
> issue short-validity end entity certs? Unless I’m missing something,
> this would work with existing TLS implementations, no extensions
> required.
The I-D actually
Every time resumption_context is used, it's fed into the PRF hash.
Handshake Context gets hashed since that actually expands to the full
concatenation and we want to be able to maintain a rolling hash.
But resumption_context is always a short value and is already the size of
the PRF hash. (If not r
On Fri, Jul 15, 2016 at 11:39 AM, David Benjamin
wrote:
> Every time resumption_context is used, it's fed into the PRF hash.
> Handshake Context gets hashed since that actually expands to the full
> concatenation and we want to be able to maintain a rolling hash.
> But resumption_context is alway
> The I-D actually covers this.
Understood; the I-D lists a few cons, but arguably none of them are blocking
issues. It seems unnecessary to create a new TLS-specific mechanism that
duplicates existing PKI semantics.
> Those two serve different purposes. Sometimes you really need the ES/KS
> sp
On 07/15/2016 12:34 PM, Andrei Popov wrote:
>> The I-D actually covers this.
> Understood; the I-D lists a few cons, but arguably none of them are blocking
> issues. It seems unnecessary to create a new TLS-specific mechanism that
> duplicates existing PKI semantics.
>
I think the main justifica
