On Thu, Mar 31, 2016 at 5:17 AM, Hannes Tschofenig < hannes.tschofe...@gmx.net> wrote:
> Hi Sean, > > we at ARM would find it somewhat unfortunate to remove the client > authentication feature from the 0-RTT exchange since this is one of the > features that could speed up the exchange quite significantly and would > make a big difference compared to TLS 1.2. > Client certs can still be used with PSK 0-RTT, but only on the initial 1-RTT handshake. it is up to the client to ensure that the security of the resumption master secret (RMS) is solid enough to warrant doing 0-RTT session resumption without re-verification of the client cert. The simplest way to explain how the server should work in this case is to just say you need to emulate a session cache. This is both more secure and faster than the current spec, where client certs are sent during a 0-RTT resume. The root security problem is that the client cannot prove it possesses the private key in a 0-RTT handshake. So, it is going to be a bit more work, but it will be fast and should be secure. Bill
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
