On Fri, 2018-06-15 at 13:00 +0100, Matt Caswell wrote: > > On 15/06/18 12:37, Nikos Mavrogiannopoulos wrote: > > It feels that's this is too little too late. Implementations which > > support PSKs will switch to TLS1.3 irrespective of this proposal. > > If > > this proposal takes on, we will have some implementations which > > support > > universal PSKs and others which don't leading to interoperability > > problems which we wouldn't have otherwise. > > I'm not sure how many TLS1.3 implementations there are out there that > also have TLS1.2 PSK support. OpenSSL is one of them. We have APIs > for TLS1.2 PSKs and different APIs for TLS1.3 PSKs. Currently > applications > using the old APIs can still expect those PSKs to work in TLS1.3. In > light of this proposal we are considering removing our TLS1.2 -> > TLS1.3 > PSK code and instead restricting applications using TLS1.2 PSK APIs > to > only TLS1.2 until this is resolved (although unfortunately that would > mean removing it from our upcoming LTS release).
In gnutls [0] we have the same APIs for PSK under TLS1.2 and TLS1.3 and the transition is quite smooth, but in contrast to David's algorithm, we select a PSK before selecting the ciphersuite in order to make that work. The problem I see is that PSKs are restricted to SHA256 KDF and thus AES128 which is somewhat ugly but we can live with it until we provide a better way to mark a specific PRF in our key files. regards, Nikos [0]. https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html (PSK key exchange) _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls