In <https://datatracker.ietf.org/doc/html/rfc9849#name-grease-psk> one reads:
The client generates the extension payload by constructing an
OfferedPsks structure (see [RFC8446], Section 4.2.11) as follows. For
each PSK identity advertised in the ClientHelloInner, the client
generates a random PSK identity with the same length. It also generates
a random, 32-bit, unsigned integer to use as the obfuscated_ticket_age.
Likewise, for each inner PSK binder, the client generates a random
string of the same length.
It is reasonably clear why the outer PSK count should be at least the
inner PSK count, making the backend server's SH valid per protocol.
What is far from clear is why the lengths must match. Especially for
external PSKs, where the identity length can distinguish some clients
from others, or for resumption tickets bearing certificate chains, that
are reflected in the certificate size, why must the outer length leak
the inner length? The reason is not obvious to me.
Also why can't the outer PSK count exceed the inner PSK count?
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]