On Mon, Aug 08, 2016 at 10:17:40AM +0200, Nikos Mavrogiannopoulos wrote: > Hello, > I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3 > draft [0], and I noticed quite some deviations (IMO) from typical TLS > protocol behavior. No rationale is given about them so I ask on list. > > To summarize, the client sends a list of identitities and the server > replies with an index indicating which identity is approved. > > 1. The server reply with an index is unique in TLS. It is not used in > ciphersuite selection or in any other negotiation in TLS where the > client sends multiple options. Why not have the server reply with the > selected username.
More compact and makes the option where server sends some bad option more clear. > 2. Why does the client send multiple identities? In TLS-SRP a single > identity is sent, and the same in the existing TLS-PSK rfc. How is this > envisioned to be used? A client sends: I'm probably one of Bob, Nikos, > George, take a look on that list and tell me who I really am? In that > case why not allow the server, to reply with a username outside that > list (i.e., assign a new one to be used at the next session - see point > 1). You already need multiple if you try to "resume"[1] DHE-PSK session (since "resumption" shares the PSK space). Additionally, TLS 1.2 had identity hint, but TLS 1.3 eliminates that due to flight limits. > 3. The maximum size of the username is 2^16. Isn't that excessive for a > user name or a user identifier? Why not set 2^8? That would fit a uuid > or anything similarly large. If one wants to do the equivalent of tickets in TLS 1.2, one needs pretty large usernames. [1] IMO, TLS 1.3 does not have session resumption (doesn't stop others from calling the relevant features "resumption"). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls