On Thu, 19 Sep 2019 at 21:57, Richard Barnes <r...@ipv.sx> wrote: > I don't think anyone's asking for these cases to be differentiable on the > wire. The question is whether the *server* can differentiate, in > particular, the application running on the server. > > --Richard > Exactly. I hope it's not controversial that the TLS server knows what's going on / what it's agreeing to. The specific restriction I was suggesting is that a server shouldn't accept multiple PSKs with the same PSK_ID. That would require the server to do things like trial decryption, and has so many ways it could go wrong. The PSK Importer draft is designed to make it easy to take a single PSK and PSK_ID and diversify them safely. Using one PSK_ID for multiple PSKs has no benefits and lots of risks.
Regards, Jonathan > > On Thu, Sep 19, 2019 at 2:36 PM Nico Williams <n...@cryptonector.com> > wrote: > >> On Thu, Sep 19, 2019 at 08:06:26AM -1000, Christian Huitema wrote: >> > There is also a privacy angle. From a privacy point of view, it is >> > very nice that PSK cannot be distinguished from session resumption. >> >> This. >> >> PSK is the right way to, for example, integrate Kerberos into TLS 1.3 >> now. But it's no eavesdropper's business whether a session used >> Kerberos for setup or resumption tickets. >> >> Nico >> -- >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
