On Tue, Mar 29, 2016 at 09:13:57AM -0700, Bill Cox wrote: > As most people on this list know, stateful PSK 0-RTT can be more secure > than any scheme possible with DHE 0-RTT, stateful or not.
I disagree with this. Both PSK and DHE can with server-side state archive best possible security (relative to any possible scheme). Of course, currently DHE mode is cryptographically busted. And I really dislike seeing such modes. But the proposal for 0-RTT contexts would fix that. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
