Now that the other issue is in the bag, let's talk about making some real savings.
I propose that we remove DH-based 0-RTT from TLS 1.3. As ekr's previous mail noted, the security properties of PSK-based 0-RTT and DH-based 0-RTT are almost identical. And DH-based 0-RTT is much more complex. For those who love DH-based 0-RTT, and I know that some people are fans, here's something that might make you less sad about removing it from the core spec. You can use DH out of band to negotiate a PSK. You might even do this as an extension to TLS, but that's of less value. If you - for example - had the offline configuration from https://unicorn-wg.github.io/tls-offline-config/ then you could simply state that using the included configuration identifier caused the session to have a "PSK". That "PSK" could be a value derived from a shared secret (g^xs) plus maybe HKDF that took the configuration as a label input. Then you get something that follows Hugo's existing analysis. What you don't get is in-TLS server configuration, but we've established that we don't really need that. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls