Martin: > I think that this is a useful erratum and it should be approved/HFDU. The > extension to which this text alludes is RFC 8773, not post_handshake_auth. > > There is one other piece to this that is very confusing, and less clear. > > "Servers which are authenticating with a PSK MUST NOT send the > CertificateRequest message in the main handshake, though they MAY send it in > post-handshake authentication (see Section 4.6.2) provided that the client > has sent the "post_handshake_auth" extension (see Section 4.2.6)." > > The motivation is the attack that Sam Scott et. al. found in their analysis > of resumption: > https://mailarchive.ietf.org/arch/msg/tls/TugB5ddJu3nYg7chcyeIyUqWSbA/ > However, this statement is unclear on whether it applies to external, > resumption, or both types of PSK, but without qualification as it is you > might be forgiven for thinking that it is both. > > However, the document already says: > > "It is unsafe to use certificate-based client authentication when the client > might potentially share the same PSK/key-id pair with two different > endpoints." > > So I think that the right interpretation is that this statement applies to "a > resumption PSK" only. > > If people agree with this interpretation, then I will file another erratum of > the form: > > OLD: > Servers which are authenticating with a PSK MUST NOT send the > CertificateRequest message in the main handshake, [...] > NEW: > Servers which are authenticating with a resumption PSK MUST NOT send the > CertificateRequest message in the main handshake, [...]
Works for me too. Russ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
