On Wed, Jan 27, 2016 at 07:28:47PM +0000, David Benjamin wrote: > On Tue, Jan 26, 2016 at 10:32 PM Martin Thomson <martin.thom...@gmail.com> > wrote: > > > > I get your point, but I don't see that as a simplification. In my > > mind, post-handshake client authentication doesn't happen. Or, I > > don't see it being commonplace. > > But the only cases where this flow is useful (server sends non-zero > unauthenticated bytes at t=0.5 before the authenticated bytes at t=1.5) has > all the same pitfalls of mid-stream auth (specifically that the stream's > authentication switches partway through), so I don't see what avoiding > mid-stream auth is supposed to gain.
I don't think the two situations have the same problems: - "Server 0-RTT" has _recipient_ identity change. - "Dynamic reauth" has _sender_ identity change. You have more concrete examples of things going wrong with "server 0-RTT"? Because I have major problems coming up with troublesome cases. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
