Re: [TLS] Remove DH-based 0-RTT

On 23 February 2016 at 11:24, Wan-Teh Chang wrote: > It seems sufficient to just ban client authentication in replayable > DH-based 0-RTT. Why remove DH-based 0-RTT altogether? On the grounds that it is more complex to analyze, build, and test. And given that deferring the

Re: [TLS] 0.5 RTT

On Tue, Feb 23, 2016 at 5:08 PM, Martin Thomson wrote: > On 23 February 2016 at 14:01, Karthikeyan Bhargavan > wrote: > > The main downgrade concern, I think, is for the 0.5-RTT data’s > confidentiality; i.e. it may have been sent encrypted

Re: [TLS] 0.5 RTT

On 23 February 2016 at 14:26, Hugo Krawczyk wrote: > Karthik, I think that what you are pointing to are cases where the client > *is* authenticated via its PSK. In the downgrade scenario, that doesn't seem right, but maybe it's just that the client's ClientHello is being

Re: [TLS] Remove DH-based 0-RTT

On Tue, Feb 23, 2016 at 7:39 PM, Hugo Krawczyk wrote: > > > On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett > wrote: >> >> On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote: >> > I propose that we remove DH-based 0-RTT from TLS 1.3. >> >

Re: [TLS] Removing the "hint" from the Session Ticket Lifetime hint

One other proposal which is related is to make server config have relative time as well instead of absolute time. If we don't make this relative this expiration time might not be practically enforceable due to clock skew. This enforcement is relevant in situations where compromise of the

Re: [TLS] Removing the "hint" from the Session Ticket Lifetime hint

On 02/23/2016 11:42 AM, Nick Sullivan wrote: > My proposed change is to change the session ticket lifetime hint to a > strict lifetime along the lines of the ServerConfiguration: > But leave it as a relative time, contrasting the absolute expiration time of the server configuration -- why not go

[TLS] Removing the "hint" from the Session Ticket Lifetime hint

Draft 11 currently supports both ServerConfiguration and PSK + Session Ticket for session resumption (0RTT or otherwise). Both mechanisms have the same properties in terms of forward secrecy: a compromise of the server's private data (whether PSK, session ticket key, or DH exponent) lets an

[TLS] Remove DH-based 0-RTT

Now that the other issue is in the bag, let's talk about making some real savings. I propose that we remove DH-based 0-RTT from TLS 1.3. As ekr's previous mail noted, the security properties of PSK-based 0-RTT and DH-based 0-RTT are almost identical. And DH-based 0-RTT is much more complex.

[TLS] Request for information: Lightweight Mutual Authentication for Constrained Devices?

Greetings TLS Group, Looking for standards/drafts/documentation or similar research discussing a mutual authentication framework for contained devices (Devices with limited processing power, battery, runs on wireless Network) Thanks in advance, Ron

Re: [TLS] 0.5 RTT

On 23/02/16 22:37, Hugo Krawczyk wrote: > > (In particular, if these semantics may be based on stuff that happens > outside TLS, as Karthik and Watson were pointing out, then maybe we really > put a "Surgeon General" warning on 0.5 data of equal size to that of 0-RTT.) That, and/or also do a

Re: [TLS] Remove DH-based 0-RTT

On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett wrote: > On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote: > > I propose that we remove DH-based 0-RTT from TLS 1.3. > > > > As ekr's previous mail noted, the security properties of PSK-based > > 0-RTT and

Re: [TLS] SRP ?

Hi, > Is anyone using SRP with TLS? The OpenSSL implementation in particular? > We're considering it too, although not necessarily through OpenSSL. Also I'd really prefer an ECDH-based formalism; I'm note sure if work on that is being done, or where. -Rick

Re: [TLS] Removing the "hint" from the Session Ticket Lifetime hint

It makes sense to me that the lifetimes be the same. Russ On Feb 23, 2016, at 12:42 PM, Nick Sullivan wrote: > Draft 11 currently supports both ServerConfiguration and PSK + Session Ticket > for session resumption (0RTT or otherwise). Both mechanisms have the same > properties in terms of

Re: [TLS] 0.5 RTT

On Tue, Feb 23, 2016 at 3:49 PM, Karthikeyan Bhargavan < karthik.bharga...@gmail.com> wrote: > There are some fears about 0.5-RTT data that do not necessarily apply to > post-client authentication, at which point at least both parties have sent > their Finished messages. > > When the server is

Re: [TLS] 0.5 RTT

> ​That's right, we do not consider downgrades or client authentication but > Martin's suggestion explicitly only applies to the case​ where the server > does not require client authentication so the analysis holds in that case. As > for downgrades, this will be discovered by the server when

[TLS] SRP ?

Is anyone using SRP with TLS? The OpenSSL implementation in particular? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls