On Wed, Feb 24, 2016 at 7:54 AM, Martin Thomson <martin.thom...@gmail.com> wrote: > On 24 February 2016 at 07:44, Subodh Iyengar <sub...@fb.com> wrote: >> Unless we add a way for the client to require a server authentication during >> PSK resumption. > > I have been arguing for this now for a while. If there is an > incentive to do "PSK resumption" (there is), and that does not provide > the client a way to verify server certificates, then clients are > forced to make a choice between performance and checking that the > server holds the private key for the certificate. I'd like to see a > mode where 0-RTT is grafted on to a full handshake with DHE and > signing. Unfortunately, that gives us an almost full matrix of > options:
Part of the motivation for session tickets in the first place was the cost of signing and DH. So long as servers can negotiate a resumption mode without these, and clients offer it, there is no liveness check. And if we require a DH+sign every resumption, we don't gain anything over the full exchange except 0-RTT. Why is this server liveness issue not considered a problem for TLS 1.2 resumption? > > PSK only > PSK + DHE > PSK + DHE + signing > DHE + signing > > But at least we can remove "DH0RTT + DHE + signing" and maybe other > combinations (though which ones we have currently isn't 100% clear to > me). -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls