On Sun, Feb 21, 2016 at 11:31:04AM -0800, Martin Thomson wrote: > I'm sitting here in TRON listening to Karthik describe all the various > ways in which client authentication in 0-RTT is bad. I'm particularly > sympathetic to the perpetual impersonation attack that arises when the > client's ephemeral key is compromised.
It also seems like a footgun to me (yes, I realize one isn't supposed to transport "non-safe"[1] data on it, but...). > We originally thought that we might want to do this for > WebRTC/real-time. As it so happens, we have an alternative design > that doesn't need this, so... Got mailarchive or draft link? Some sort of "sign ClientHello" scheme? Or just taking the 1RTT for the authentcation? > I propose that we remove client authentication from 0-RTT. > > This should simplify the protocol considerably. Yes, there are all sorts of obscure corner-cases with 0-RTT auth that don't happen with 0-RTT data, and seemingly some existing extensions if implemented bring even more (and the current spec doesn't even begin to explain those extension issues). [1] "idempotent" isn't enough: e.g. HTTP considers unconditional DELETE to be idempotent, but effects of making such thing replayable with authentication might not be desirable... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
