All, To make sure we’ve got a clear way forward coming out of our BA sessions, we need to make sure there’s consensus on a couple of outstanding issues. So...
There also seems to be (rougher) consensus not to support 0-RTT via DHE (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT mode as PSK. The security properties of PSK-based 0-RTT and DHE-based 0-RTT are almost identical, but 0-RTT PSK has better performance properties and is simpler to specify and implement. Note that this does not permanently preclude supporting DHE-based 0-RTT in a future extension, but it would not be in the initial TLS 1.3 RFC. If you think that we should keep DHE-based 0-RTT please indicate so now and provide your rationale. J&S _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
