> -----Original Message----- > From: Jonathan Hoyland <[email protected]> > Sent: 19 September 2019 14:32 > To: Owen Friel (ofriel) <[email protected]> > Cc: Martin Thomson <[email protected]>; [email protected] > Subject: Re: [TLS] Distinguishing between external/resumption PSKs > > Hi Owen, > > If I understand your question correctly the distinguishing is done implicitly > (not explicitly) through the key schedule. > If the client and server do not agree on whether the PSK is a resumption or > an OOB PSK then the `binder_key` will not match, and the handshake will fail. > > See pp. 93-94 of the spec.
And we only even get that far on the off chance that an ext PskIdentity.identity is exactly the same as a res PskIdentity.identity. e.g. a client presents an ext PskIdentity.identity, the server somehow thinks it’s a res PskIdentity.identity, and then handshaking will fail, not only because the actual raw PSK is likely different but the binders will not match due to different labels. But my question was before we even get that far - its an internal server implementation decision how it determines whether the presented PskIdentity.identity is ext or res, or whether e.g. to try lookup an ext DB table vs. a res cache first to find a PskIdentity.identity match. And say it fails to find an ext match then it tries to find a res match, and if it finds a match, then it knows what binder label to use. > > Does that answer your question? > > Regards, > > Jonathan > > On Thu, 19 Sep 2019 at 11:52, Owen Friel (ofriel) <mailto:[email protected]> > wrote: > > > -----Original Message----- > > From: TLS <mailto:[email protected]> On Behalf Of Martin Thomson > > Sent: 04 September 2019 02:46 > > To: mailto:[email protected] > > Subject: Re: [TLS] Binder key labels for imported PSKs > > > > > > When we built the ext/res distinction, there was a clear problem > expressed. > > We had the potential for both to be used by the same servers at the same > > time (though not for the same connection) and distinguishing between > them > > was important > > Martin, maybe I am missing something in the threads on this. Is there > anything explicit planned in ClientHello PreSharedKeyExtension or > PskKeyExchangeModes to explicitly distinguish between ext/res PSKs? Or is > it up to server implementation and how the server handles the opaque > PskIdentity.identity? e.g. ImportedIdentity.external_identity fields could be > stored in one DB table, and (ignoring https://tools.ietf.org/html/draft-ietf- > tls-external-psk-importer-00#section-9 for now) the server on receipt of a > ClientHello searches for PskIdentity.identity in its > ImportedIdentity.external_identity table and if that lookup fails, then try > to > parse PskIdentity.identity as a NewSessionTicket.ticket? And the order of > those two operations is of course implementation specific too. > > > _______________________________________________ > TLS mailing list > mailto:[email protected] > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
