For general-purpose TLS stacks that have to support PSK anyway (and therefore already deal with PSK persistence issues), removing DH-based 0-RTT is a significant simplification.
Cheers, Andrei -----Original Message----- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Martin Thomson Sent: Tuesday, February 23, 2016 11:39 AM To: Wan-Teh Chang <w...@google.com> Cc: tls@ietf.org Subject: Re: [TLS] Remove DH-based 0-RTT On 23 February 2016 at 11:24, Wan-Teh Chang <w...@google.com> wrote: > It seems sufficient to just ban client authentication in replayable > DH-based 0-RTT. Why remove DH-based 0-RTT altogether? On the grounds that it is more complex to analyze, build, and test. And given that deferring the feature does no significant harm to those who want it. I acknowledge that persistence of secrets on clients is a material difference between that an PSK-based 0-RTT. I just don't think that it's a good enough reason to pay for what is a relatively expensive feature. _______________________________________________ TLS mailing list TLS@ietf.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7cf17dcaeb65eb4ecc907e08d33c88ed75%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=iUfZJINzquzcxHr7W6Xf1bo8P34UfkneZOVwj8TjWP0%3d _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
