On Wed, 2018-04-18 at 12:25 -0400, Russ Housley wrote: > In London, I was on the agenda to talk about certificate-based > authentication with external pre-shared key (PSK). We ran out of > time, and I did not get to make the presentation. The slides are in > the proceedings; see https://datatracker.ietf.org/meeting/101/materia > ls/slides-101-tls-sessa-certificate-based-authentication-with- > external-psk-00. > > Please review the document and send comments to the list. > > I would like the TLS WG to adopt this document.
In the presentation the main driver for it seems to be quantum computer resistance as temporary measure. If that's the main argument I don't think it is really significant. PSK can hardly be used with PKI, and as a matter of fact we use PKI because of PSK key distribution problems. If we switch to PSK for quantum computer resistance there is there a reason to use PKI? Probably no (I may be wrong here, if there is a reason for a hubrid model I'm missing, I'd be glad to know). I could see the main driver for such proposal the replacement of the RSA-PSK ciphersuites. I know they have _some_ adoption, but I'm not sure whether that is significant to require update to TLS1.3. On the implementation side, why not use post-handshake authentication here? I.e., extend it to be usable from client-side, and on a PSK key exchange, have the client request server authentication after the handshake? regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
