On Wed, 2018-05-16 at 11:30 +0200, Ander Juaristi wrote: > El 2018-05-11 09:05, Nikos Mavrogiannopoulos escribió: > > On Thu, 2018-05-10 at 11:46 -0400, Viktor Dukhovni wrote: > > > > > > Good to know. Does any implementation other than OpenSSL support > > > external PSKs? How do you distinguish between external PSKs and > > > resumption PSKs? > > > > gnutls does. For external PSKs It checks for ticket age being zero > > and > > the username/identity within acceptable bounds. > > Hey Nikos, > > I remember we had this discussion, but wanted to transfer it to the > list > as even though I believe that approach > will work almost always, by reading the current draft my > understanding > is that being the ticket age zero is no more than a hint > that it *might* be a PSK. > > What's wrong with trying to decrypt it first and then if decryption > fails treat it as an external PSK and look up > its identity in the database? GnuTLS encrypts the tickets with EtA > so > with "decrypt" I mean checking the MAC first, > and then decrypting. Isn't this a stronger check?
Decrypting a ticket may not always be possible. For example, server keys may get rotated, or a server may receive key which were destined for another server in the pool. > Another option to remove some ambiguity out of here would just be to > change the draft to say that externally set PSKs > MUST have a ticket age of zero (rather than SHOULD). This way a > server > can instantly recognize an external PSK. A real > ticket can never have an obfuscated ticket age of zero, right? Or it > can? I think that ticket age could be zero even for non-preshared keys (not very likely though). A field which could potentially be used to distinguish tickets is the key_name of an rfc5077 formatted ticket. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
