On Tue, Jul 04, 2023 at 08:00:00AM +0200, Thom Wiggers wrote:
>
> It has been a while since I have had time to work on the IETF draft for
> AuthKEM (``draft-celi-wiggers-tls-authkem``, aka "KEMTLS"), and some of you
> have previously asked when the draft (which is currently expired) will be
> updated. In this email, I want to pick up the work again.
>
> Specifically, I want to do the following:
>
> * Split the proposal in two parts for improved legibility and applicability
> to use cases
> * Once this is done and in a good shape, move forward towards consensus
> with the aim of adoption
>
> I will now describe the plan in more detail. I am welcoming further
> suggestions, and would like to hear if these changes make sense and are
> appreciated. If nothing else, you're welcome to help bikeshed draft names.
> :-)
>
> The draft currently describes TLS authentication via KEM ("KEMTLS
> authentication") and TLS-PSK-style abbreviated handshakes via KEM
> (KEMTLS-PDK). The TLS authentication and the abbreviated KEM-based
> PSK-style handshake probably are independently interesting. The two
> proposals can be split and this would hopefully make evaluating them
> easier. AuthKEM and "pre-shared KEM" can be independently implemented.
Reading the draft, it occurs to me that adapting it to work on DTLS (or
unreliable CTLS) might require major and very challenging changes to
DTLS 1.3. Especially with client authentication.
And 0-RTT client auth probably can not work in DTLS at all, since DTLS
has no reliability for 0-RTT, unlike other handshake, which is reliable.
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
