On 24 May 2016 at 19:06, Kyle Nekritz <knekr...@fb.com> wrote: > What is the rationale for restricting a change in certificate? If the server > has a new certificate that the client would accept with a full handshake, > what threat is added by also accepting that certificate with a PSK handshake?
This was a request from David Benjamin. But then all the things you mention are why I think that it might have been a bad idea. I think that the idea was to avoid unnecessary changes. Changes that might regress the security decisions made originally. It was the most conservative choice without thinking about the problem too much. However, if we model this as new connection + 0-RTT stuff, then I think that we are good. Probably. If anyone disagrees it would be good to hear that. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
