On Sun, Feb 21, 2016 at 11:31 AM, Martin Thomson <martin.thom...@gmail.com> wrote: > I'm sitting here in TRON listening to Karthik describe all the various > ways in which client authentication in 0-RTT is bad. I'm particularly > sympathetic to the perpetual impersonation attack that arises when the > client's ephemeral key is compromised. > > We originally thought that we might want to do this for > WebRTC/real-time. As it so happens, we have an alternative design > that doesn't need this, so... > > I propose that we remove client authentication from 0-RTT. > > This should simplify the protocol considerably.
The token-binding(*) folks care about authenticating 0-RTT requests, although they are currently working at the application-layer[1] and so would be recreating 0-RTT client authentication on top of TLS. (They would thus have all the same issues, but we already knew that.) If there was still a channel-binding value available at 0-RTT time, they should be happy. (* To recap, token-binding wants to eliminate the bearer-token nature of cookies in order to avoid several issues. For example, Heartbleed-like leaks of cookie data, origin confusion attacks[2] etc.) Cheers AGL [1] https://tools.ietf.org/html/draft-ietf-tokbind-protocol-04 [2] http://antoine.delignat-lavaud.fr/doc/www15.pdf -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls