On Thu, Oct 26, 2017 at 09:46:09AM -0700, Eric Rescorla wrote: > On Thu, Oct 26, 2017 at 9:41 AM, Tony Putman <tony.put...@dyson.com> wrote: > > > I thought we would need to modify the key schedule in section 7.1, > > replacing the > > > > PSK input at the start with the static share [c_id]S_id (or [s_id]C_id) > > and then replace > > > > the (EC)DHE input lower down with the Triple-DH. > > > > That's one option.
Allowing PSK key slot to hold a keypair? However, that would only work for server authentication, not client authentication, which would need its own mechanisms. Which are rendered more interesting by being in the last flight and thus not being able to affect server encryption keys. Also, I would be real careful about how such thing would interact with 0-RTT. 0-RTT is difficult to analyze as is, you don't need unbound keys to make it even more exciting. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
