On Fri, Apr 8, 2016 at 6:42 PM, Wan-Teh Chang <w...@google.com> wrote:
> On Fri, Apr 8, 2016 at 2:31 PM, Eric Rescorla <e...@rtfm.com> wrote: > > > > ... TLS 1.3 supports two PSK-resumption modes: > > > > 1. Pure PSK, which has somewhat better security properties than in TLS > 1.2 > > 2. PSK-ECDHE, which has similar security properties to those of QUIC, > i.e., > > no-PFS for the first flight and PFS for subsequent flights > > > > I think it would be good to encourage people to use mode #2, but there > are > > obvious > > reasons why performance-sensitive implementations might opt for mode #1. > > I don't know why one wants to choose PSK-ECDHE resumption over ECDHE > full handshake. Does PSK-ECDHE resumption have any advantage over > ECDHE full handshake? Yes [0] 1. It has a significantly lower performance cost (especially if you have an RSA cert) 2. If you have done client authentication, then you can carry the state over between handshakes. 3. As it seems likely we are going to remove the (EC)DHE 0-RTT mode, this is how you do 0-RTT. -Ekr [0] For the sake of this discussion, I'm talking about resumption PSK when the server is authenticating with a cert. Obviously if you are using PSK-based authentication there are reasons why you would want to do this.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
