Authentication feels weaker in PSK-mode: * A server proves possession of a (short-term) shared key,
whereas, with certificate-based authentication, * A server proves possession of a (long-term) private key; should we consider PSK-mode authentication weaker than certificate-based authentication? PSK-mode cannot be bolstered with certificate-based authentication: "In TLS 1.3...either a PSK or a certificate is always used, but not both. Future documents may define how to use them together." Have any such documents emerged?
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
