Just re-reading the text on PSK, I noticed a few things.  The text in Section 
2.1.2 talks about PSK, the session ticket, and a "key_share" extension.   The 
accompanying diagram doesn't include any of those.  I suggest updating the 
diagram to include them.

  As a related note, if the PSK *is* in the resumption cache, but the key is 
wrong, the cache entry should not be discarded.  Otherwise an attacker can 
disable caching for *all* users.  This issue could be clearer in this document.

  Perhaps it would be useful to add a short note in Section 5 about security of 
resumption.  It should reference RFC 8446 Section 8.1, and 8.2, which discuss 
this issue.  Also, Section 4.2.11 of that document has an "Implementor's note:" 
which is important.

  Alan DeKok.

Emu mailing list

Reply via email to