I want to make sure that it is possible to mix PSK with (EC)DH as a protection against the discovery of a quantum computer. I recognize that the WG does not want to tackle this topic in the base specification; however, the following text in Section 4.1.1 makes this difficult to do so in a companion document:
> The server indicates its selected parameters in the ServerHello as > follows: > > - If PSK is being used then the server will send a "pre_shared_key" > extension indicating the selected key. > > - If PSK is not being used, then (EC)DHE and certificate-based > authentication are always used. > > - When (EC)DHE is in use, the server will also provide a "key_share" > extension. > > - When authenticating via a certificate (i.e., when a PSK is not in > use), the server will send the Certificate (Section 4.4.1) and > CertificateVerify (Section 4.4.2) messages. An Internal PSK offers no protection against the discovery of a quantum computer. I assume that an attacker can save the handshake that established the Internal PSK, and then at some future date use the quantum computer to discover the Internal PSK. Therefore, protection against the discovery of a quantum computer is only concerned with External PSK. I would like for the specification to permit normal certificate authentication when someone is using an External PSK. I am guessing that the granularity of the name associated with the External PSK to be pretty broad. If this guess is correct, it would be appropriate for the name in the certificate to be further restrict the one associated with the External PSK. Maybe the External PSK is associated with example.com, and then the certificate that includes www.example.com would be acceptable acceptable. Then, I would expect any Internal PSK that is generated after such an authentication would be associated with the more granular certificate name. Maybe it is as simple as reorganizing these bullets like this: - When only PSK is being used, … - When only (EC)DHE is being used, … - When PSK and (EC)DHE are both being used, … If others agree with this direction, I am willing to propose some text. Happy holidays, Russ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
