On Thu, Sep 19, 2019 at 06:03:44PM -0400, Richard Barnes wrote: > On Thu, Sep 19, 2019 at 5:49 PM Nico Williams <n...@cryptonector.com> wrote: > > On Thu, Sep 19, 2019 at 04:57:17PM -0400, Richard Barnes wrote: > > > I don't think anyone's asking for these cases to be differentiable on the > > > wire. The question is whether the *server* can differentiate, in > > > particular, the application running on the server. > > > > And the answer to that one is "yes", because the server has control over > > the PSK IDs. > > That glosses over an important distinction made up-thread: When we say "the > server", there is typically a distinction between the TLS stack and the > server application logic. Resumption PSKs are typically controlled by the > TLS stack, while external PSKs are provided by the application logic. The > question is how the application logic, when presented with a session > authenticated under a given PSK ID, can distinguish whether the PSK used > was one provided by the TLS stack for resumption, or provided by the > application logic.
Depends on which gets a first crack at it. You could have a plugin system as well where the plugins are invoked by the TLS stack. And again, order may matter if there's no reliable way to "taste" the PSK IDs. So the answer is that order of evaluation matters, and that's OK. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
