Re: [TLS] Remove 0-RTT client auth

[Cedric Fournet <fournet@microsoft.com>]

Agreed. For what it is worth, 0-RTT with PSK would still provide implicit client authentication.



From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: 21 February 2016 19:37
To: Martin Thomson <martin.thomson@gmail.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Remove 0-RTT client auth

+1

On Sun, Feb 21, 2016 at 11:31 AM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:
I'm sitting here in TRON listening to Karthik describe all the various
ways in which client authentication in 0-RTT is bad.  I'm particularly
sympathetic to the perpetual impersonation attack that arises when the
client's ephemeral key is compromised.

We originally thought that we might want to do this for
WebRTC/real-time.  As it so happens, we have an alternative design
that doesn't need this, so...

I propose that we remove client authentication from 0-RTT.

This should simplify the protocol considerably.

https://github.com/tlswg/tls13-spec/issues/420

[1] Compromising the server's long term key has the same impact, but
that's interesting for other, worse reasons.
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cFOURNET%40064d.mgd.microsoft.com%7cb8afe35a6c8a4dd7e41308d33af67de7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=JiINW%2fUouLWcJn0b%2fGjg7mVZH%2fGQxI1QvOhA42YdywE%3d>