On Tue, Apr 18, 2017 at 09:48:33AM -0400, Eric Rescorla wrote: > https://github.com/tlswg/tls13-spec/pull/962 > Target merge date: Thursday > > In reviewing the specification, I noticed that we seem to have banned the > use of CertificateRequest with PSK both in the main handshake and in the > post-handshake phase. I don't believe that this was intentional and it > makes it very hard to use client auth with resumption. Accordingly I have > filed the above PR to remove that restriction (while retaining it for the > main handshake). As I understand it, several of the analyses we have > already assumed this case and covered it, so no additional work is needed > there.
On topic of PSKs, I noticed that TLS 1.3 makes it very easy to mount dictionary attacks against PSK, regardless of DHE-PSK (especially to recover the client PSK). I assumed that the document already documents this, but I couldn't find any remark that using low-entropy PSKs is very bad idea. IIRC, the TLS 1.0-1.2 PSK RFC does discuss dictionary attacks a bit. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
