Rob Sayre <say...@gmail.com> writes: >Couldn't an implementation use data from a preexisting agreement in a >conventional TLS handshake?
Yep, that's more or less TOFU then. TLS isn't supposed to do that though because then it would look like it was SSH, or some reason like that. I sketched out TOFU-for-TLS years ago but never did anything with it because I just couldn't face the headache of trying to get it through the TLS WG. If there's any interest in it I could see if I've still got the text lying around somewhere and turn it into a draft. (Note that this is different from session resumption/session tickets in that it's a new session authenticated with previous-session data, not resuming an existing session based on cached data, so there's no need for a server to hang onto everyone's session state in perpetuity as there would be with resumption/ session tickets. It also provides PFS if the (EC)DH suites are used while resumption/session tickets don't). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
