On Sat, Mar 15, 2025 at 6:19 PM Rob Sayre <say...@gmail.com> wrote:
> On Sat, Mar 15, 2025 at 4:55 PM Eric Rescorla <e...@rtfm.com> wrote: > >> >> Note that this wouldn't necessarily be the case if you allowed the >> combination of certificate-based auth and the PAKE, though that might >> be problematic for other reasons. >> > > That was exactly my thought. I think I have seen some OPAQUE drafts that > don't start from "0" in the key schedule. > > So, what are the "other reasons"? Not meant as sarcastic scare quotes. > But, what are they? > I'm not sure there necessarily are any; I just haven't thought through the problem completely and so wanted to leave room for there being some barrier I wasn't aware of. With that said, it seems like you would want to have some formal verification that the PAKE and certificate-based auth played well together, and in particular that they were non-separable. -Ekr
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
