Agreed. For what it is worth, 0-RTT with PSK would still provide implicit client authentication.
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla Sent: 21 February 2016 19:37 To: Martin Thomson <martin.thom...@gmail.com> Cc: tls@ietf.org Subject: Re: [TLS] Remove 0-RTT client auth +1 On Sun, Feb 21, 2016 at 11:31 AM, Martin Thomson <martin.thom...@gmail.com<mailto:martin.thom...@gmail.com>> wrote: I'm sitting here in TRON listening to Karthik describe all the various ways in which client authentication in 0-RTT is bad. I'm particularly sympathetic to the perpetual impersonation attack that arises when the client's ephemeral key is compromised. We originally thought that we might want to do this for WebRTC/real-time. As it so happens, we have an alternative design that doesn't need this, so... I propose that we remove client authentication from 0-RTT. This should simplify the protocol considerably. https://github.com/tlswg/tls13-spec/issues/420 [1] Compromising the server's long term key has the same impact, but that's interesting for other, worse reasons. _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cFOURNET%40064d.mgd.microsoft.com%7cb8afe35a6c8a4dd7e41308d33af67de7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=JiINW%2fUouLWcJn0b%2fGjg7mVZH%2fGQxI1QvOhA42YdywE%3d>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
