On 3/15/2018 5:51 PM, Benjamin Kaduk wrote: > On Thu, Mar 15, 2018 at 12:25:38PM +0100, Hubert Kario wrote: > ... >> we do not have a reliable mechanism of differentiating between external and >> resumption PSKs while parsing Client Hello > Well, a valid external PSK (identity) the server will of course > recognize, and we have a SHOULD-level requirement that the > obfuscated_ticket_age is zero for external PSKs. I haven't gotten > to think through whether there is still potential for information > leakage about external PSK identities, but it seems like there would > not be, provided that the server prefers resumption to external-PSK > full handshakes. >
I am concerned with the privacy issues linked to these "external PSK identities". If a system is set so that clients use static PSK identities, then the identity is an identifier and the client's movements and connections can be tracked. I don't think privacy is improved if we make it easy to differentiate external identities from resumption tickets. If you want to use PSK with some level of privacy, you might adopt a different setup. For example, servers could provision the clients with a set of single-use external PSK identities. But then, that looks a lot like resumption. Or, clients could generate single-use external PSK identities by encrypting their long term identity and a nonce with the public key of the server, a design which of course has its own set of issues. -- Christian Huitema
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
