On Wed, Feb 24, 2016 at 7:54 AM, Martin Thomson
<martin.thom...@gmail.com> wrote:
> On 24 February 2016 at 07:44, Subodh Iyengar <sub...@fb.com> wrote:
>> Unless we add a way for the client to require a server authentication during
>> PSK resumption.
>
> I have been arguing for this now for a while.  If there is an
> incentive to do "PSK resumption" (there is), and that does not provide
> the client a way to verify server certificates, then clients are
> forced to make a choice between performance and checking that the
> server holds the private key for the certificate.  I'd like to see a
> mode where 0-RTT is grafted on to a full handshake with DHE and
> signing.  Unfortunately, that gives us an almost full matrix of
> options:

Part of the motivation for session tickets in the first place was the
cost of signing and DH. So long as servers can negotiate a resumption
mode without these, and clients offer it, there is no liveness check.
And if we require a DH+sign every resumption, we don't gain anything
over the full exchange except 0-RTT. Why is this server liveness issue
not considered a problem for TLS 1.2 resumption?

>
> PSK only
> PSK + DHE
> PSK + DHE + signing
> DHE + signing
>
> But at least we can remove "DH0RTT + DHE + signing" and maybe other
> combinations (though which ones we have currently isn't 100% clear to
> me).

-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to