Thanks for the clarification. Yes, I believe that is true. -Ekr
On Thu, May 19, 2016 at 11:34 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Thu, May 19, 2016 at 02:38:35PM -0700, Eric Rescorla wrote: > > On Thu, May 19, 2016 at 12:35 PM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > > > > > > In very quick'n'dirty security analysis the other thing I noticed was > > > that if server handshake needs something to be nonce w.r.t. "SS", (e.g. > > > happens in GDHE-PSK-CERT modes MT posted I-D about), you need contexts > > > anyway, even with just "SS" being PSK. > > > > Sorry, I think you lost me there. Can you rephrase? > > Basically, I think that without contexts, PSK+ServerCert modes like MT > proposed (for 0-RTT with server certificate auth) run into cryptographic > issues. > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
