+1 On Sun, Feb 21, 2016 at 11:31 AM, Martin Thomson <martin.thom...@gmail.com> wrote:
> I'm sitting here in TRON listening to Karthik describe all the various > ways in which client authentication in 0-RTT is bad. I'm particularly > sympathetic to the perpetual impersonation attack that arises when the > client's ephemeral key is compromised. > > We originally thought that we might want to do this for > WebRTC/real-time. As it so happens, we have an alternative design > that doesn't need this, so... > > I propose that we remove client authentication from 0-RTT. > > This should simplify the protocol considerably. > > https://github.com/tlswg/tls13-spec/issues/420 > > [1] Compromising the server's long term key has the same impact, but > that's interesting for other, worse reasons. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
