Christian:
>
> Thanks. I am not 100% sure that we actually have an attack against the
> [EC]DH+PSK combination, but I am confident than if the PSK secret is weak,
> the attacker can get to the early data. If only for that, it is prudent to
> use long enough PSK.
As stated in draft-ietf-tls-8773bis, some people are interested in using the
external PSK with a certificate to protect against the future invention of a
Cryptographically Relevant Quantum Computer (CRQC). Others want to use of a
public key with a factory-provisioned secret value for the initial enrollment
of a device in an enterprise network (for example
draft-ietf-emu-bootstrapped-tls).
For the security consideration, I suggest an additional paragraph:
Implementations must use sufficiently large external PSKs. For
protection
against the future invention of a CRQC, the external PSK needs to be at
least 256 bits.
Does that resolve your concern?
Russ
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
