Correct. -Ekr
On Sun, Feb 21, 2016 at 11:41 AM, Cedric Fournet <four...@microsoft.com> wrote: > Agreed. For what it is worth, 0-RTT with PSK would still provide implicit > client authentication. > > > > > > *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Eric Rescorla > *Sent:* 21 February 2016 19:37 > *To:* Martin Thomson <martin.thom...@gmail.com> > *Cc:* tls@ietf.org > *Subject:* Re: [TLS] Remove 0-RTT client auth > > > > +1 > > > > On Sun, Feb 21, 2016 at 11:31 AM, Martin Thomson <martin.thom...@gmail.com> > wrote: > > I'm sitting here in TRON listening to Karthik describe all the various > ways in which client authentication in 0-RTT is bad. I'm particularly > sympathetic to the perpetual impersonation attack that arises when the > client's ephemeral key is compromised. > > We originally thought that we might want to do this for > WebRTC/real-time. As it so happens, we have an alternative design > that doesn't need this, so... > > I propose that we remove client authentication from 0-RTT. > > This should simplify the protocol considerably. > > https://github.com/tlswg/tls13-spec/issues/420 > > [1] Compromising the server's long term key has the same impact, but > that's interesting for other, worse reasons. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cFOURNET%40064d.mgd.microsoft.com%7cb8afe35a6c8a4dd7e41308d33af67de7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=JiINW%2fUouLWcJn0b%2fGjg7mVZH%2fGQxI1QvOhA42YdywE%3d> > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
