On 24 February 2016 at 07:44, Subodh Iyengar <sub...@fb.com> wrote: > Unless we add a way for the client to require a server authentication during > PSK resumption.
I have been arguing for this now for a while. If there is an incentive to do "PSK resumption" (there is), and that does not provide the client a way to verify server certificates, then clients are forced to make a choice between performance and checking that the server holds the private key for the certificate. I'd like to see a mode where 0-RTT is grafted on to a full handshake with DHE and signing. Unfortunately, that gives us an almost full matrix of options: PSK only PSK + DHE PSK + DHE + signing DHE + signing But at least we can remove "DH0RTT + DHE + signing" and maybe other combinations (though which ones we have currently isn't 100% clear to me). _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
