On 03/31/2016 12:13 PM, Eric Rescorla wrote: > > > On Thu, Mar 31, 2016 at 10:08 AM, Benjamin Kaduk <bka...@akamai.com > <mailto:bka...@akamai.com>> wrote: > > On 03/31/2016 12:02 PM, Bill Cox wrote: >> On Thu, Mar 31, 2016 at 5:17 AM, Hannes Tschofenig >> <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>> wrote: >> >> Hi Sean, >> >> we at ARM would find it somewhat unfortunate to remove the client >> authentication feature from the 0-RTT exchange since this is >> one of the >> features that could speed up the exchange quite significantly >> and would >> make a big difference compared to TLS 1.2. >> >> >> Client certs can still be used with PSK 0-RTT, but only on the >> initial 1-RTT handshake. it is up to the client to ensure that >> the security of the resumption master secret (RMS) is solid >> enough to warrant doing 0-RTT session resumption without >> re-verification of the client cert. > > That seems to rule out most corporate uses of client certs [for > 0-RTT client authentication], since I doubt anyone will be > interested in trusting that the client does so properly. > > > Do those servers generally carry over client auth through resumption? >
I don't know, offhand. I just wanted to point out that for one sizeable use case for client certs in general (not considering 0RTT), this proposed scheme does not seem useful. It may still be useful in other use cases, of course. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
