On Thu, Mar 31, 2016 at 10:08 AM, Benjamin Kaduk <bka...@akamai.com> wrote:
> On 03/31/2016 12:02 PM, Bill Cox wrote: > > On Thu, Mar 31, 2016 at 5:17 AM, Hannes Tschofenig < > <hannes.tschofe...@gmx.net>hannes.tschofe...@gmx.net> wrote: > >> Hi Sean, >> >> we at ARM would find it somewhat unfortunate to remove the client >> authentication feature from the 0-RTT exchange since this is one of the >> features that could speed up the exchange quite significantly and would >> make a big difference compared to TLS 1.2. >> > > Client certs can still be used with PSK 0-RTT, but only on the initial > 1-RTT handshake. it is up to the client to ensure that the security of the > resumption master secret (RMS) is solid enough to warrant doing 0-RTT > session resumption without re-verification of the client cert. > > > That seems to rule out most corporate uses of client certs [for 0-RTT > client authentication], since I doubt anyone will be interested in trusting > that the client does so properly. > > -Ben > You would think so, but in TLS 1.2, the client only proves possession of the certificate key on the initial connection, and not again on resumption, so corporations are already trusting the client to maintain the security of their resumption tickets and cache. This seem like a significant security issue that is not well known. Bill
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
