Re: [TLS] Call for consensus: Removing DHE-based 0-RTT

Thu, 31 Mar 2016 08:34:16 -0700 

Hi Ekr,


On 03/31/2016 05:05 PM, Eric Rescorla wrote:
> Hannes,
> 
> No, the proposal is to remove both EC and non-EC DHE 0-RTT profiles.
> 
> The only way to do 0-RTT would be with a PSK (in both PSK and
> PSK-(EC)DHE modes).

I see. This is, of course, a bit unfortunate.

> However, this would include PSKs established via a previous session,
> i.e., resumption-PSK.

Only established in previous sessions or also distributed out-of-band
(as it would be done with PSKs normally). The way you phrased it sounds
like you want to exclude the out-of-band case and I wonder why.

Ciao
Hannes

> 
> -Ekr
> 
> 
> On Thu, Mar 31, 2016 at 5:20 AM, Hannes Tschofenig
> <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>> wrote:
> 
>     Hi Sean,
> 
>     just to make sure that I properly understand the question: You are
>     suggesting to remove the DHE support but not the ECDHE support from the
>     0-RTT exchange.
> 
>     Removing the DHE support is fine for us (at ARM) since we are focused on
>     ECDHE for IoT devices. The DTLS/TLS profile and other IETF
>     specifications very much focused on ECDHE and do not consider the use of
>     DHE.
> 
>     Ciao
>     Hannes
> 
> 
>     On 03/29/2016 03:11 PM, Sean Turner wrote:
>     > All,
>     >
>     > To make sure we’ve got a clear way forward coming out of our BA
>     > sessions, we need to make sure there’s consensus on a couple of
>     > outstanding issues.  So...
>     >
>     > There also seems to be (rougher) consensus not to support 0-RTT via
>     > DHE  (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only
>     > 0-RTT mode as PSK. The security properties of PSK-based 0-RTT and
>     > DHE-based 0-RTT are almost identical, but 0-RTT PSK has better
>     > performance properties and is simpler to specify and implement. Note
>     > that this does not permanently preclude supporting DHE-based 0-RTT in
>     > a future extension, but it would not be in the initial TLS 1.3 RFC.
>     >
>     > If you think that we should keep DHE-based 0-RTT please indicate so
>     > now and provide your rationale.
>     >
>     > J&S
>     >
>     > _______________________________________________ TLS mailing list
>     > TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>     >
> 
> 
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to