On Sep 18, 2019, at 8:45 AM, Owen Friel (ofriel) <ofr...@cisco.com> wrote: > >> >> Which means that if PSK was allowed, the server can't look at the packets to >> distinguish resumption from "raw" PSK. Instead, the server has to look at >> it's >> resumption cache which may be in a DB. > > The server can use the PskIdentity in the PreSharedKeyExtension to > differentiate between an offline PSK used for authentication vs. a PSK > established via NewSessionTicket.
Please define "use". As an implementor, I can't implement "my code USES a field". I need to know what the code *does* with it. How does the code differentiate between PSK identities? Are the identity formats different? If so, how and why? What prevents a malicious attacker from "using" a format which matches an identity coming from NewSessionTicket? My understanding is that the code *cannot* make any decisions simply by looking at the PSK identity field. Instead, it has to look at the resumption cache to see if a given PSK matches a cached one. Or maybe the code looks in a DB to see if the given PSK is a real "end-user" PSK in the DB. Simply waving your hands and saying it "uses" a field is unhelpful. Please give substantive feedback and/or advice about what the code *does*. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu