On Wed, Sep 21, 2016 at 09:33:11PM +0100, David Woodhouse wrote:
> On Wed, 2016-09-21 at 23:00 +0300, Ilari Liusvaara wrote:
> > On Wed, Sep 21, 2016 at 08:16:15PM +0100, David Woodhouse wrote:
> >  E.g. altering hello_finished to be a list, one entry for each
> > identity, or omitting it entierely for "implicit finished with the
> > used 0-RTT key before ServerHello" trick I outlined earlier.
> > (Neither is probably pleasant to implement... The latter is probably
> > easier if the library architecture is suitable).
> I had also suggested including a hello_finished only for the first
> (preferred) PSK identity. If the server doesn't want that one, it can
> send a HelloRetryRequest with a PreSharedKeyExtension indicating which
> PSK identity it *does* want.
> Or did I miss a reason why that wasn't sufficient and *each*
> ClientHello needed to be validated? I confess I've only been looking at
> this for the last day or so.
Basically, you need the binder (finished) for whatever PSK you actually
wind up using, or you have attacks in some cases.
So it would technically be possible to have multiple PSK identites,
and use HRR to change the one used (followed by client signaling
finished for that one in new ClientHello).
TLS mailing list