On Wed, 2018-05-16 at 11:30 +0200, Ander Juaristi wrote:
> El 2018-05-11 09:05, Nikos Mavrogiannopoulos escribió:
> > On Thu, 2018-05-10 at 11:46 -0400, Viktor Dukhovni wrote:
> > > 
> > > Good to know.  Does any implementation other than OpenSSL support
> > > external PSKs?  How do you distinguish between external PSKs and
> > > resumption PSKs?
> > 
> > gnutls does. For external PSKs It checks for ticket age being zero
> > and
> > the username/identity within acceptable bounds.
> Hey Nikos,
> I remember we had this discussion, but wanted to transfer it to the
> list 
> as even though I believe that approach
> will work almost always, by reading the current draft my
> understanding 
> is that being the ticket age zero is no more than a hint
> that it *might* be a PSK.
> What's wrong with trying to decrypt it first and then if decryption 
> fails treat it as an external PSK and look up
> its identity in the database? GnuTLS encrypts the tickets with EtA
> so 
> with "decrypt" I mean checking the MAC first,
> and then decrypting. Isn't this a stronger check?

Decrypting a ticket may not always be possible. For example, server
keys may get rotated, or a server may receive key which were destined
for another server in the pool.

> Another option to remove some ambiguity out of here would just be to 
> change the draft to say that externally set PSKs
> MUST have a ticket age of zero (rather than SHOULD). This way a
> server 
> can instantly recognize an external PSK. A real
> ticket can never have an obfuscated ticket age of zero, right? Or it 
> can?

I think that ticket age could be zero even for non-preshared keys (not
very likely though).

A field which could potentially be used to distinguish tickets is the
key_name of an rfc5077 formatted ticket.


TLS mailing list

Reply via email to