On Thu, Oct 26, 2017 at 9:41 AM, Tony Putman <tony.put...@dyson.com> wrote:
> *From:* Eric Rescorla [mailto:e...@rtfm.com] > It's pretty straightforward to mix the static server DH share into the > final > > traffic keys (that last 0 input in the key schedule is kind of a > placeholder > > for that). As you say, the client's key is more difficult, but mixing into > the > > Finished MAC would be relatively straightforward, though we might > > need to mess with the key schedule a bit to make that work. > > > > I thought we would need to modify the key schedule in section 7.1, > replacing the > > PSK input at the start with the static share [c_id]S_id (or [s_id]C_id) > and then replace > > the (EC)DHE input lower down with the Triple-DH. > That's one option. But I'd rather not get too sidetracked by the TLS 1.3 changes right now. I > am in any > > case not up to speed on all the changes and discussions around that. > Fair enough. I would say that we want an anonymous client mode to work properly (the same mode that QUIC Crypto uses) -Ekr >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
