The discussion on the list supports the consensus in the IETF 95 meeting to
remove DHE-based 0-RTT modes. The mode should be removed from the draft.
Cheers,
J&S
On Tue, Mar 29, 2016 at 6:11 AM, Sean Turner wrote:
> All,
>
> To make sure we’ve got a clear way forward coming out of our BA sessi
On 31 March 2016 at 15:52, Wan-Teh Chang wrote:
> The info is these two tables is exactly the same for DHE-based 0-RTT
> and PSK-based 0-RTT.
You are right. I remain concerned about the other factors.
___
TLS mailing list
TLS@ietf.org
https://www.iet
On Thu, Mar 31, 2016 at 11:49 PM, Eric Rescorla wrote:
>
>
> On Thu, Mar 31, 2016 at 8:39 PM, Hugo Krawczyk
> wrote:
>
>>
>>
>> On Tue, Mar 29, 2016 at 9:11 AM, Sean Turner wrote:
>>
>>> All,
>>>
>>> To make sure we’ve got a clear way forward coming out of our BA
>>> sessions, we need to make s
On Thu, Mar 31, 2016 at 8:39 PM, Hugo Krawczyk
wrote:
>
>
> On Tue, Mar 29, 2016 at 9:11 AM, Sean Turner wrote:
>
>> All,
>>
>> To make sure we’ve got a clear way forward coming out of our BA sessions,
>> we need to make sure there’s consensus on a couple of outstanding issues.
>> So...
>>
>> Th
On Tue, Mar 29, 2016 at 9:11 AM, Sean Turner wrote:
> All,
>
> To make sure we’ve got a clear way forward coming out of our BA sessions,
> we need to make sure there’s consensus on a couple of outstanding issues.
> So...
>
> There also seems to be (rougher) consensus not to support 0-RTT via DHE
Hi Ekr,
> > The only way to do 0-RTT would be with a PSK (in both PSK and
> > PSK-(EC)DHE modes).
>
> I see. This is, of course, a bit unfortunate.
>
>
> Can you expand on why? The general sense of the discussion was that they
> offered similar properties.
>
The PSK-ECDHE mode i
On Thu, Mar 31, 2016 at 8:33 AM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:
> Hi Ekr,
>
>
> On 03/31/2016 05:05 PM, Eric Rescorla wrote:
> > Hannes,
> >
> > No, the proposal is to remove both EC and non-EC DHE 0-RTT profiles.
> >
> > The only way to do 0-RTT would be with a PSK (in both
Hi Ekr,
On 03/31/2016 05:05 PM, Eric Rescorla wrote:
> Hannes,
>
> No, the proposal is to remove both EC and non-EC DHE 0-RTT profiles.
>
> The only way to do 0-RTT would be with a PSK (in both PSK and
> PSK-(EC)DHE modes).
I see. This is, of course, a bit unfortunate.
> However, this would i
Hannes,
No, the proposal is to remove both EC and non-EC DHE 0-RTT profiles.
The only way to do 0-RTT would be with a PSK (in both PSK and PSK-(EC)DHE
modes).
However, this would include PSKs established via a previous session, i.e.,
resumption-PSK.
-Ekr
On Thu, Mar 31, 2016 at 5:20 AM, Hannes
Hi Sean,
just to make sure that I properly understand the question: You are
suggesting to remove the DHE support but not the ECDHE support from the
0-RTT exchange.
Removing the DHE support is fine for us (at ARM) since we are focused on
ECDHE for IoT devices. The DTLS/TLS profile and other IETF
s
On 31 March 2016 at 12:41, Wan-Teh Chang wrote:
> But if you already implemented the first row, which is a must, the
> incremental effort to implement the second row seems small -- you just
> need to use server static instead of server ephemeral for SS.
Someone recently suggested that handling th
Hi Eric,
Thank you for the reply.
On Tue, Mar 29, 2016 at 10:57 AM, Eric Rescorla wrote:
>
> On Tue, Mar 29, 2016 at 10:14 AM, Wan-Teh Chang wrote:
>>
>> [...] I am curious to know how we concluded that 0-RTT PSK is simpler to
>> implement. Did anyone implement both 0-RTT modes and can compare
On Tue, Mar 29, 2016 at 09:13:57AM -0700, Bill Cox wrote:
> As most people on this list know, stateful PSK 0-RTT can be more secure
> than any scheme possible with DHE 0-RTT, stateful or not.
I disagree with this.
Both PSK and DHE can with server-side state archive best possible
security (relat
On Tue, Mar 29, 2016 at 10:14 AM, Wan-Teh Chang wrote:
> On Tue, Mar 29, 2016 at 6:11 AM, Sean Turner wrote:
> >
> > There also seems to be (rougher) consensus not to support 0-RTT via DHE
> > (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT
> mode
> > as PSK. The security
On Tue, Mar 29, 2016 at 6:11 AM, Sean Turner wrote:
>
> There also seems to be (rougher) consensus not to support 0-RTT via DHE
> (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT mode
> as PSK. The security properties of PSK-based 0-RTT and DHE-based 0-RTT
> are almost identi
All,
To make sure we’ve got a clear way forward coming out of our BA sessions, we
need to make sure there’s consensus on a couple of outstanding issues. So...
There also seems to be (rougher) consensus not to support 0-RTT via DHE (i.e.,
semi-static DHE) in TLS 1.3 at this time leaving the on
16 matches
Mail list logo