I want to make sure that it is possible to mix PSK with (EC)DH as a protection
against the discovery of a quantum computer. I recognize that the WG does not
want to tackle this topic in the base specification; however, the following
text in Section 4.1.1 makes this difficult to do so in a compa
It's possible I'm misunderstanding your message here (I'm a little confused
by the mention of combining normal certificate authentication with an
external PSK), but TLS 1.3 already allows doing both PSK and (EC)DH. That's
the psk_dhe_ke mode, rather than the psk_ke mode. It's signaled by the
server
Does you implementation allow a PSK to be used along with certificate based
authentication?
On Thu, Dec 22, 2016 at 2:12 PM, David Benjamin
wrote:
> It's possible I'm misunderstanding your message here (I'm a little
> confused by the mention of combining normal certificate authentication with
>
David:
Yes, it does allow both, but the authentication is unclear when both are in
play. The last bullet implies that certificate authentication only comes into
play when there is no PSK. So, if there is a PSK, the identity associated with
it seems to trump whatever is in the certificate.
As
On Thu, Dec 22, 2016 at 2:28 PM, Joseph Salowey wrote:
> Does you implementation allow a PSK to be used along with certificate
> based authentication?
>
There is presently no way to negotiate this in TLS 1.3. I have been
assuming that if we decide we
want this we would add a psk_auth_mode extens
