On Fri, Sep 09, 2016 at 02:50:59PM -0500, Benjamin Kaduk wrote: > I made a few notes on the pull request. Generally, I support the > change, but I get the sense that it may aid the cryptographic properties > if we keep the resumption_context and do not overload the resumption_psk > as much.
One problem with this is that authentication_methods can include nontrivial methods even for "static" PSKs, and if server takes such method, you have an attack unless you bind the PSK secret used. And "static" PSKs don't have resumption_context. And I would expect that someone will be crazy enough to try to provision "static" PSK with the information required to perform 0-RTT (ALPN (or indication there is none) and associated cipher)... > I have a slight (i.e., unjustified) preference for doing > ClientHello-with-block-of-zeros rather than prefix-of-ClientHello. (Is > there a reason to require this extension to be the last one with > block-of-zeros? Clearly there is for prefix-of-ClientHello.) What about the case where client tries DHE-PSK and gets attempt rejected because of missing group (or because address verification)? 0-RTT is gone yes, but the PSK attempt isn't. What happens to the hash in this case? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
