> I agree with David here. Specifically, I think.
>
> - The base specification should continue to forbid certificates in
> combination with PSK
> - We should at some point contemplate an extension that allows the use of
> certificates in combination with PSK
> - The base spec should be factored in such a way as to make that extension
> easy.
While I agree that we do not want to delay the TLS 1.3 specification to sort
this out; however, I do not think we have provided the hook to make this future
extension easy. Looking at the key schedule in -19, I think we can provide
the hook without being disruptive. My goal is to minimize the pain to
implementing the extension in the future by putting a straightforward hook in
today:
0
|
v
PSK -> HKDF-Extract = Early Secret
|
+-----> Derive-Secret(.,
| "external psk binder key" |
| "resumption psk binder key",
| "")
| = binder_key
|
+-----> Derive-Secret(., "client early traffic secret",
| ClientHello)
| = client_early_traffic_secret
|
+-----> Derive-Secret(., "early exporter master secret",
| ClientHello)
| = early_exporter_secret
v
Derive-Secret(., "derived secret", "")
|
v
(EC)DHE -> HKDF-Extract = Handshake Secret
|
+-----> Derive-Secret(., "client handshake traffic secret",
| ClientHello...ServerHello)
| = client_handshake_traffic_secret
|
+-----> Derive-Secret(., "server handshake traffic secret",
| ClientHello...ServerHello)
| = server_handshake_traffic_secret
v
Derive-Secret(., "derived secret", "")
|
v
ExtPSK OR 0 -> HKDF-Extract = Master Secret
|
+-----> Derive-Secret(., "client application traffic secret",
| ClientHello...Server Finished)
| = client_traffic_secret_0
|
+-----> Derive-Secret(., "server application traffic secret",
| ClientHello...Server Finished)
| = server_traffic_secret_0
|
+-----> Derive-Secret(., "exporter master secret",
| ClientHello...Server Finished)
| = exporter_secret
|
+-----> Derive-Secret(., "resumption master secret",
ClientHello...Client Finished)
= resumption_master_secret
The only change is "ExtPSK OR 0” in the HKDF-Extract for the Master Secret
computation.
The Section 4.1.1 can call out this place for the future specification:
OLD:
- When authenticating via a certificate, the server will send the
Certificate (Section 4.4.2) and CertificateVerify (Section 4.4.3)
messages. In TLS 1.3 as defined by this document, either a PSK or
a certificate is always used, but not both. Future documents may
define how to use them together.
NEW:
- When authenticating via a certificate, the server will send the
Certificate (Section 4.4.2) and CertificateVerify (Section 4.4.3)
messages. In TLS 1.3 as defined by this document, either a PSK or
a certificate is always used, but not both. So, the ExtPSK is not
used in the key schedule (Section 7.1). Future documents may
define how to use them together and tell how the ExtPSK is
handled in the key schedule.
Russ
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
