I'm sitting here in TRON listening to Karthik describe all the various ways in which client authentication in 0-RTT is bad. I'm particularly sympathetic to the perpetual impersonation attack that arises when the client's ephemeral key is compromised.
We originally thought that we might want to do this for WebRTC/real-time. As it so happens, we have an alternative design that doesn't need this, so... I propose that we remove client authentication from 0-RTT. This should simplify the protocol considerably. https://github.com/tlswg/tls13-spec/issues/420 [1] Compromising the server's long term key has the same impact, but that's interesting for other, worse reasons. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
