Hi Ilari, Thanks for pointing this out. I will admit I am pretty unaware of the additional constraints that DTLS has, but I will try to look at this issue in more detail. In the meantime, I would also appreciate it if people who are also concerned about AuthKEM+DTLS share their interest and concerns, as that will help with their visibility and maybe give me a list of people to ask questions to :)
You're welcome to contribute or +1 in the mailing list or, if you're concerned about noise, thumbs-up on this issue https://github.com/kemtls/draft-celi-wiggers-tls-authkem/issues/23 Cheers, Thom PQShield Op di 4 jul 2023 om 20:27 schreef Ilari Liusvaara <[email protected] >: > On Tue, Jul 04, 2023 at 08:00:00AM +0200, Thom Wiggers wrote: > > > > It has been a while since I have had time to work on the IETF draft for > > AuthKEM (``draft-celi-wiggers-tls-authkem``, aka "KEMTLS"), and some of > you > > have previously asked when the draft (which is currently expired) will be > > updated. In this email, I want to pick up the work again. > > > > Specifically, I want to do the following: > > > > * Split the proposal in two parts for improved legibility and > applicability > > to use cases > > * Once this is done and in a good shape, move forward towards consensus > > with the aim of adoption > > > > I will now describe the plan in more detail. I am welcoming further > > suggestions, and would like to hear if these changes make sense and are > > appreciated. If nothing else, you're welcome to help bikeshed draft > names. > > :-) > > > > The draft currently describes TLS authentication via KEM ("KEMTLS > > authentication") and TLS-PSK-style abbreviated handshakes via KEM > > (KEMTLS-PDK). The TLS authentication and the abbreviated KEM-based > > PSK-style handshake probably are independently interesting. The two > > proposals can be split and this would hopefully make evaluating them > > easier. AuthKEM and "pre-shared KEM" can be independently implemented. > > Reading the draft, it occurs to me that adapting it to work on DTLS (or > unreliable CTLS) might require major and very challenging changes to > DTLS 1.3. Especially with client authentication. > > And 0-RTT client auth probably can not work in DTLS at all, since DTLS > has no reliability for 0-RTT, unlike other handshake, which is reliable. > > > > > -Ilari > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
