On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <[email protected]> wrote:
> On Friday, February 19, 2016 12:57:04 am Bill Cox wrote: > > Having two different modes to achieve basically the same > > thing in TLS 1.3 is a bad idea. > > On Friday, February 19, 2016 10:01:31 am Salz, Rich wrote: > > I greatly prefer one way to do things. > > I do not fundamentally disagree. I would support dropping PSK resumption > in favor of using only DHE 0RTT for resumption. > This would represent a major performance regression from TLS 1.2 and therefore I do not believe is practical. With PSK resumption, as far as I know, the issue of what cipher suites to > offer & use has not been settled, or at least written down in the spec. Not > having to use all of the PSK suites (or non-PSK suites but actually using > PSK, which could be confusing) and the PSK extension for resumption, and > instead using some session ID and DHE 0RTT would be simpler and not loose > capability. > I'm fairly far into a PSK-resumption implementation and I don't believe that that is going to be correct. I do agree that some details need to be written down, but I don't expect them to be that hard. I think that requiring PSK for 0RTT would significantly reduce the > availability of actually using 0RTT, whilst providing no way to improve the > situation over the long term. My impression is exactly the opposite. All the infrastructure to PSK-resumption and hence PSK-0RTT is already in place for TLS 1.2. And of course PSK-resumption is also much faster. It would mean that TLS only has 0RTT resumption and not actually have any > 0RTT sessions. Why do you think that this makes a material difference? -Ekr
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
