On Fri, Jun 15, 2018 at 05:26:33PM +0200, Jonathan Hoyland wrote: > Agreement on a channel binding in the identity would prove, amongst other > things, agreement on the KDF used to derive the PSK, whereas the TLS > handshake proves agreement on the PSK itself, but says nothing about the > derivation of it. > This way means you don't have to worry about collisions between hash > functions, as long as the channel binding is correctly constructed.
While this is an interesting way to think about things, it's unclear to me how general it is for framing the problem. That is to say, there is not necessarily a "channel" used to provision what TLS 1.3 calls "external PSKs". My model for them includes an administrator typing a hex string into a configuration file on both ends of the connection, or a manufacturer burning a key into ROM for an IoT device -- what would the "channel" be those cases? (Or do I completely misunderstand what you're trying to do?) -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
