Re: [TLS] The future of external PSK in TLS 1.3

Viktor Dukhovni <> Sat, 19 September 2020 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CBFA43A09FC for <>; Sat, 19 Sep 2020 14:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dyoPBzCQ_t_x for <>; Sat, 19 Sep 2020 14:10:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 789AA3A09FB for <>; Sat, 19 Sep 2020 14:10:48 -0700 (PDT)
Received: by (Postfix, from userid 1001) id 5299D3B50FD; Sat, 19 Sep 2020 17:10:47 -0400 (EDT)
Date: Sat, 19 Sep 2020 17:10:47 -0400
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [TLS] The future of external PSK in TLS 1.3
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Sep 2020 21:10:50 -0000

On Sat, Sep 19, 2020 at 06:00:00PM +0200, Filippo Valsorda wrote:

> Setting Recommended to N is not "banning" anything, it's saying it
> "has not been through the IETF consensus process, has limited
> applicability, or is intended only for specific use cases". SCADA
> sounds like a pretty specific use case.
> I don't have a strong opinion on psk_dhe_ke, but I see no reason
> psk_ke wouldn't be marked N like all suites lacking PFS.

Is there actually a problem here?  "Nobody" is using external PSK "on
the open Internet", because, perhaps not surprisingly, you need to have
a pre-shared key for that.  Thus, browsers and the like just don't have
pre-shared keys with each and every web-server the user might direct
them at.

By the time external PSK (i.e. not resumption session tickets) is actually
in use, we're already well outside the use cases where we're protecting
the privacy of Joe-consumer using commodity software.

Perhaps in the IoT space one can envision some device "calling home" to
the manufacturer or supplier in a manner that identifies the device
slightly more than just the source and destination IP addresses, ...
but I don't see this as motivating a compelling need to change the