I've been reviewing this issue because I want to help figure out how to do token binding over TLS 1.3 PKS 0-RTT. When the server emulates a session cache, then the RMS is unique on every PSK 0-RTT resumption. That means the client handshake hash is also unique, and it therefore becomes an attractive value for the purpose of signing. If we allow client auth in this mode, we gain some security. In particular, without access to the client cert private key, an attacker cannot resume a session, even if they have the RMS.
Give this possible mode of operation, we may want to consider keeping client auth as an option in 0-RTT PSK resumption. Bill
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
