Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3

[Russ Housley <housley@vigilsec.com>]

Ben:

> I also had the sense that ekr noted that we didn't want to do this in the core spec.
> So, could you point me more clearly at what you would want to change in the core spec that would allow doing the thing you want to see done in a future document?  (Is it just removing "i.e., when a PSK is not in use"?)
> 

I am not looking to put the details in the core spec.  I think I said that in my first posting.  However, I do want to ensure that the identity associated with the external PSK and the certificate are both considered.  There needs to be a hook in the core spec for that to happen.

I quotes the part of the core spec that seems to say otherwise.


>>> On Thu, Dec 22, 2016 at 4:54 PM Russ Housley <housley@vigilsec.com> wrote:
>>> I want to make sure that it is possible to mix PSK with (EC)DH as a protection against the discovery of a quantum computer.  I recognize that the WG does not want to tackle this topic in the base specification; however, the following text in Section 4.1.1 makes this difficult to do so in a companion document:
>>> 
>>> >    The server indicates its selected parameters in the ServerHello as
>>> >    follows:
>>> >
>>> >    -  If PSK is being used then the server will send a "pre_shared_key"
>>> >       extension indicating the selected key.
>>> >
>>> >    -  If PSK is not being used, then (EC)DHE and certificate-based
>>> >       authentication are always used.
>>> >
>>> >    -  When (EC)DHE is in use, the server will also provide a "key_share"
>>> >       extension.
>>> >
>>> >    -  When authenticating via a certificate (i.e., when a PSK is not in
>>> >       use), the server will send the Certificate (Section 4.4.1) and
>>> >       CertificateVerify (Section 4.4.2) messages.

Russ