On Sat, Jul 25, 2015 at 09:07:49PM +0200, Eric Rescorla wrote: > > > We agreed on how to do this in Prague. The sticking point was establishing > the cipher suite. I have WIP text on my machine for both of these which I > will be > sending early next week, once I get enough sleep to be able to clean it up, > so I'd ask people to sit tight till then. >
Okay, now the PR (#211) seems to be up, let's review: - Lacks client-driven client authentication[1]. All client auth is server driven, which I think isn't very useful in real world (there are all sorts of bad hacks[2] trying to work around lack of client-driven auth). - EncryptedExtensions looks to be mandatory in some exchanges, optional in others. I agree it should be mandatory in all (issue #213). - "The client's cryptographic determining parameters match the parameters that the server has negotiated based on the rest of the ClientHello." ... Does that mean the client has to guess what ciphersuite the server will choose (more than pure-PSK vs. GDHE, which is unvaoidable with just one encrypted block)? - Regarding other extensions, it doesn't look to be the same list as ServerHello extensions, as max_fragment_length is on ServerHello, but certainly makes no sense as 0-RTT extension (I didn't see any other possibly relevant extensions). - Am I reading the syntax wrong, or does the extensions field in server configuration only allow exactly one extension (shouldn't it be zero or more)? Also, regarding issue #212, unless the Certificate is handled specially, it would mean that the signature does not cover certificate. And not signing the certificate (esp. the public key within) causes problems in some exotic cases (I don't know if any of those cases pop up in TLS 1.3). I think it would simplify the security analysis a bit if CertificateVerify was always immediately before Finished and covered everything before that point. On client side, one gets that "no certificate" special case anyway. [1] A lot of time, the client knows if it is going to present client certificate or not before it initiates the handshake. [2] At best ugly, at worst security problem. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
