+1
On Sun, Feb 21, 2016 at 11:31 AM, Martin Thomson <martin.thom...@gmail.com>
wrote:
I'm sitting here in TRON listening to Karthik describe all the various
ways in which client authentication in 0-RTT is bad. I'm particularly
sympathetic to the perpetual impersonation attack that arises when the
client's ephemeral key is compromised.
We originally thought that we might want to do this for
WebRTC/real-time. As it so happens, we have an alternative design
that doesn't need this, so...
I propose that we remove client authentication from 0-RTT.
This should simplify the protocol considerably.
https://github.com/tlswg/tls13-spec/issues/420
[1] Compromising the server's long term key has the same impact, but
that's interesting for other, worse reasons.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
