On Thu, Mar 31, 2016 at 8:33 AM, Hannes Tschofenig < hannes.tschofe...@gmx.net> wrote:
> Hi Ekr, > > > On 03/31/2016 05:05 PM, Eric Rescorla wrote: > > Hannes, > > > > No, the proposal is to remove both EC and non-EC DHE 0-RTT profiles. > > > > The only way to do 0-RTT would be with a PSK (in both PSK and > > PSK-(EC)DHE modes). > > I see. This is, of course, a bit unfortunate. > Can you expand on why? The general sense of the discussion was that they offered similar properties. > > > However, this would include PSKs established via a previous session, > > i.e., resumption-PSK. > > Only established in previous sessions or also distributed out-of-band > (as it would be done with PSKs normally). The way you phrased it sounds > like you want to exclude the out-of-band case and I wonder why. > No, the out-of-band case is fine. -Ekr > > Ciao > Hannes > > > > > -Ekr > > > > > > On Thu, Mar 31, 2016 at 5:20 AM, Hannes Tschofenig > > <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>> wrote: > > > > Hi Sean, > > > > just to make sure that I properly understand the question: You are > > suggesting to remove the DHE support but not the ECDHE support from > the > > 0-RTT exchange. > > > > Removing the DHE support is fine for us (at ARM) since we are > focused on > > ECDHE for IoT devices. The DTLS/TLS profile and other IETF > > specifications very much focused on ECDHE and do not consider the > use of > > DHE. > > > > Ciao > > Hannes > > > > > > On 03/29/2016 03:11 PM, Sean Turner wrote: > > > All, > > > > > > To make sure we’ve got a clear way forward coming out of our BA > > > sessions, we need to make sure there’s consensus on a couple of > > > outstanding issues. So... > > > > > > There also seems to be (rougher) consensus not to support 0-RTT via > > > DHE (i.e., semi-static DHE) in TLS 1.3 at this time leaving the > only > > > 0-RTT mode as PSK. The security properties of PSK-based 0-RTT and > > > DHE-based 0-RTT are almost identical, but 0-RTT PSK has better > > > performance properties and is simpler to specify and implement. > Note > > > that this does not permanently preclude supporting DHE-based 0-RTT > in > > > a future extension, but it would not be in the initial TLS 1.3 RFC. > > > > > > If you think that we should keep DHE-based 0-RTT please indicate so > > > now and provide your rationale. > > > > > > J&S > > > > > > _______________________________________________ TLS mailing list > > > TLS@ietf.org <mailto:TLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/tls > > > > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org <mailto:TLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/tls > > > > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
