All, Thanks for your many comments. I still feel that this would be a useful addition to the TLS authentication methods, and Eric expressed an interest in seeing this fleshed out more, so should my next step be to compose a draft document?
In response to the comments, I have searched the past draft documents and have found nothing on triple DH. It is used in the Signal protocol, which references some papers, but does not seem to have been taken up by the IETF anywhere. @Dan, thanks for the pointer to MQV variants. This seems to be more efficient and there have been a couple of TLS drafts on using this (last one in 2010). I could find no discussion of this in the list archives, which is odd, so I don't know why they did not progress. However, if there are licensing matters then I feel this would impede widespread implementation so I would not be interested in pursuing that path. @Hannes, I want to improve on PSK in the cheapest way possible. This means removing the overheads of certificates, but it also means removing the need for an ECDSA implementation in the IoT device. The associated protocol simplifications are also attractive for small devices. @Christian, I don't propose to expose the public keys, but the respective identities are exposed. As the protocol messages are identical to the ECDHE_PSK protocol, the privacy issues are likewise identical. Right now, I don't see a way around this in TLS 1.2. @Eric, I had not given any thought to anonymous client, as this was intended to improve on ECDHE_PSK. However, if you think that it's important then it seems straightforward to add, though additional security checks may be needed (I'll investigate). @Eric, @Ilari, if you think that I should also address the use of 3DH in TLS 1.3 then I'm happy to do so, but I would like to undertake it as a separate activity. I feel that there are too many differences to try to undertake it in a single document. -- Tony _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
