Re: [TLS] draft-jay-tls-psk-identity-extension-01

David Woodhouse <> Wed, 21 September 2016 19:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8C9D312BBC4 for <>; Wed, 21 Sep 2016 12:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rpKEYxh5sFt1 for <>; Wed, 21 Sep 2016 12:16:34 -0700 (PDT)
Received: from ( [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 19D4912BBEF for <>; Wed, 21 Sep 2016 12:16:30 -0700 (PDT)
Received: from [2001:8b0:10b:1:841b:5eff:0:f69] ( by with esmtpsa (Exim 4.85_2 #1 (Red Hat Linux)) id 1bmn0M-0000WY-Ma; Wed, 21 Sep 2016 19:16:27 +0000
Message-ID: <>
From: David Woodhouse <>
To: Raja ashok <>, Nikos Mavrogiannopoulos <>
Date: Wed, 21 Sep 2016 20:16:15 +0100
In-Reply-To: <>
References: <> <> <>
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-8hL4AWp/JRIDhBbknXk4"
X-Mailer: Evolution (
Mime-Version: 1.0
X-SRS-Rewrite: SMTP reverse-path rewritten from <> by See
Archived-At: <>
Cc: "" <>, "" <>
Subject: Re: [TLS] draft-jay-tls-psk-identity-extension-01
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Sep 2016 19:16:36 -0000

On Wed, 2016-09-21 at 17:46 +0000, Raja ashok wrote:
> [ashok]  : PSK Identity extension specified in our extension differs
> from the extension specified in TLS1.3. 

Agreed. I suspect it just makes sense to add a sentence to that effect,
to the draft?

> [ashok] : I feel sending the selected ID is better, otherwise while
> process "server hello" msg, client has to maintain the PSK ID list in
> the same order in which it sent. Already there was a discussion in
> TLS1.3 group for sending selected ID instead of index. 

Yes, I agree. In TLS1.3 it kind of makes sense, because the PSK
identifiers there can be huge — they are the full session ticket from
RFC5077. So it makes some sense to send back only an index. But in
TLS <= 1.2 when you're not (ab)using PSK for session resumption, that
motivation goes away and returning the identity itself seems
reasonable. But again, it's just worth calling out the differences
between TLSv1.3 for clarity.

There is also discussion of supporting only a *single* PSK identity in
TLSv1.3. If that happens, is there a real need for the extension to
permit more than one identity in TLS <= 1.2.