From: Eric Rescorla [mailto:e...@rtfm.com] It's pretty straightforward to mix the static server DH share into the final traffic keys (that last 0 input in the key schedule is kind of a placeholder for that). As you say, the client's key is more difficult, but mixing into the Finished MAC would be relatively straightforward, though we might need to mess with the key schedule a bit to make that work.
I thought we would need to modify the key schedule in section 7.1, replacing the PSK input at the start with the static share [c_id]S_id (or [s_id]C_id) and then replace the (EC)DHE input lower down with the Triple-DH. But I'd rather not get too sidetracked by the TLS 1.3 changes right now. I am in any case not up to speed on all the changes and discussions around that. -- Tony
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
