What do we have in terms of formal analysis for this extension?
-Ekr
On Fri, Dec 1, 2023 at 11:40 AM Russ Housley wrote:
> I think this should move forward. I am encouraged that at least two
> people have spoken to me about their implementations.
>
> Russ
>
> On Nov 29, 2023, at 10:51 AM, Jos
At least one bit of work:
https://dl.acm.org/doi/abs/10.1145/3548606.3559360
On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla wrote:
> What do we have in terms of formal analysis for this extension?
>
> -Ekr
>
>
> On Fri, Dec 1, 2023 at 11:40 AM Russ Housley wrote:
>
>> I think this should move forwa
Whoops wrong one, strike that
On Sun, Dec 3, 2023, 3:28 PM Deirdre Connolly
wrote:
> At least one bit of work:
> https://dl.acm.org/doi/abs/10.1145/3548606.3559360
>
> On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla wrote:
>
>> What do we have in terms of formal analysis for this extension?
>>
>> -E
To respond directly to the call: I think we should require some level of
formal analysis for this kind of extension.
If there is some, I think the WG should look at it to determine whether
it's sufficient. If there isn't I think this should remain at experimental.
Not having a normative downref is
+1
Reading RFC 8773, I feel at least a tension and maybe a contradiction
between the stated motivation, resisting to quantum analysis by
combining an [EC]DH derived secret and a PSK, and the use of the PSK
alone to derive the early secret. If the early secret is used for 0-RTT,
then the adver
