On 23 February 2016 at 11:24, Wan-Teh Chang wrote:
> It seems sufficient to just ban client authentication in replayable
> DH-based 0-RTT. Why remove DH-based 0-RTT altogether?
On the grounds that it is more complex to analyze, build, and test.
And given that deferring the
On Tue, Feb 23, 2016 at 5:08 PM, Martin Thomson
wrote:
> On 23 February 2016 at 14:01, Karthikeyan Bhargavan
> wrote:
> > The main downgrade concern, I think, is for the 0.5-RTT data’s
> confidentiality; i.e. it may have been sent encrypted
On 23 February 2016 at 14:26, Hugo Krawczyk wrote:
> Karthik, I think that what you are pointing to are cases where the client
> *is* authenticated via its PSK.
In the downgrade scenario, that doesn't seem right, but maybe it's
just that the client's ClientHello is being
On Tue, Feb 23, 2016 at 7:39 PM, Hugo Krawczyk wrote:
>
>
> On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett
> wrote:
>>
>> On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote:
>> > I propose that we remove DH-based 0-RTT from TLS 1.3.
>> >
One other proposal which is related is to make server config have relative time
as well instead of absolute time. If we don't make this relative this
expiration time might not be practically enforceable due to clock skew.
This enforcement is relevant in situations where compromise of the
On 02/23/2016 11:42 AM, Nick Sullivan wrote:
> My proposed change is to change the session ticket lifetime hint to a
> strict lifetime along the lines of the ServerConfiguration:
>
But leave it as a relative time, contrasting the absolute expiration
time of the server configuration -- why not go
Draft 11 currently supports both ServerConfiguration and PSK + Session
Ticket for session resumption (0RTT or otherwise). Both mechanisms have the
same properties in terms of forward secrecy: a compromise of the server's
private data (whether PSK, session ticket key, or DH exponent) lets an
Now that the other issue is in the bag, let's talk about making some
real savings.
I propose that we remove DH-based 0-RTT from TLS 1.3.
As ekr's previous mail noted, the security properties of PSK-based
0-RTT and DH-based 0-RTT are almost identical. And DH-based 0-RTT is
much more complex.
Greetings TLS Group,
Looking for standards/drafts/documentation or similar research discussing a
mutual authentication framework for contained devices (Devices with limited
processing power, battery, runs on wireless Network)
Thanks in advance,
Ron
On 23/02/16 22:37, Hugo Krawczyk wrote:
>
> (In particular, if these semantics may be based on stuff that happens
> outside TLS, as Karthik and Watson were pointing out, then maybe we really
> put a "Surgeon General" warning on 0.5 data of equal size to that of 0-RTT.)
That, and/or also do a
On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett
wrote:
> On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote:
> > I propose that we remove DH-based 0-RTT from TLS 1.3.
> >
> > As ekr's previous mail noted, the security properties of PSK-based
> > 0-RTT and
Hi,
> Is anyone using SRP with TLS? The OpenSSL implementation in particular?
>
We're considering it too, although not necessarily through OpenSSL.
Also I'd really prefer an ECDH-based formalism; I'm note sure if work on
that is being done, or where.
-Rick
It makes sense to me that the lifetimes be the same.
Russ
On Feb 23, 2016, at 12:42 PM, Nick Sullivan wrote:
> Draft 11 currently supports both ServerConfiguration and PSK + Session Ticket
> for session resumption (0RTT or otherwise). Both mechanisms have the same
> properties in terms of
On Tue, Feb 23, 2016 at 3:49 PM, Karthikeyan Bhargavan <
karthik.bharga...@gmail.com> wrote:
> There are some fears about 0.5-RTT data that do not necessarily apply to
> post-client authentication, at which point at least both parties have sent
> their Finished messages.
>
> When the server is
> That's right, we do not consider downgrades or client authentication but
> Martin's suggestion explicitly only applies to the case where the server
> does not require client authentication so the analysis holds in that case. As
> for downgrades, this will be discovered by the server when
Is anyone using SRP with TLS? The OpenSSL implementation in particular?
--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
16 matches
Mail list logo