I also agree, FWIW, but expected that this would be addressed by any changes to 0-RTT and PSK in general.
On 20 May 2016 at 09:05, Eric Rescorla <e...@rtfm.com> wrote: > Thanks for the clarification. Yes, I believe that is true. > > -Ekr > > > On Thu, May 19, 2016 at 11:34 PM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: >> >> On Thu, May 19, 2016 at 02:38:35PM -0700, Eric Rescorla wrote: >> > On Thu, May 19, 2016 at 12:35 PM, Ilari Liusvaara >> > <ilariliusva...@welho.com> >> > wrote: >> > > >> > > In very quick'n'dirty security analysis the other thing I noticed was >> > > that if server handshake needs something to be nonce w.r.t. "SS", >> > > (e.g. >> > > happens in GDHE-PSK-CERT modes MT posted I-D about), you need contexts >> > > anyway, even with just "SS" being PSK. >> > >> > Sorry, I think you lost me there. Can you rephrase? >> >> Basically, I think that without contexts, PSK+ServerCert modes like MT >> proposed (for 0-RTT with server certificate auth) run into cryptographic >> issues. >> >> >> -Ilari > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
