On 03/31/2016 12:21 PM, Eric Rescorla wrote: > > > On Thu, Mar 31, 2016 at 10:17 AM, Benjamin Kaduk <bka...@akamai.com > <mailto:bka...@akamai.com>> wrote: > > On 03/31/2016 12:13 PM, Eric Rescorla wrote: >> >> >> On Thu, Mar 31, 2016 at 10:08 AM, Benjamin Kaduk >> <bka...@akamai.com <mailto:bka...@akamai.com>> wrote: >> >> On 03/31/2016 12:02 PM, Bill Cox wrote: >>> On Thu, Mar 31, 2016 at 5:17 AM, Hannes Tschofenig >>> <hannes.tschofe...@gmx.net >>> <mailto:hannes.tschofe...@gmx.net>> wrote: >>> >>> Hi Sean, >>> >>> we at ARM would find it somewhat unfortunate to remove >>> the client >>> authentication feature from the 0-RTT exchange since >>> this is one of the >>> features that could speed up the exchange quite >>> significantly and would >>> make a big difference compared to TLS 1.2. >>> >>> >>> Client certs can still be used with PSK 0-RTT, but only on >>> the initial 1-RTT handshake. it is up to the client to >>> ensure that the security of the resumption master secret >>> (RMS) is solid enough to warrant doing 0-RTT session >>> resumption without re-verification of the client cert. >> >> That seems to rule out most corporate uses of client certs >> [for 0-RTT client authentication], since I doubt anyone will >> be interested in trusting that the client does so properly. >> >> >> Do those servers generally carry over client auth through resumption? >> > > I don't know, offhand. I just wanted to point out that for one > sizeable use case for client certs in general (not considering > 0RTT), this proposed scheme does not seem useful. It may still be > useful in other use cases, of course. > > > I'm really not following you here. >
Sorry. I did not really make a very clear point. > My point is that for TLS 1.2 there are two categories of servers that > do client auth: > > - Those which carry over client auth through resumption > - Those which do not > > The former should be equally happy (modulo all the concerns about > replay, etc.) to carry over > client auth through 0-RTT resumption. The latter will presumably not > be but can do 1-RTT. > The question then becomes how large the two populations are. > I guess I was thinking about the latter, and trying to note (but not actually doing so) that they would have to do 1-RTT. I think this subthread has outlived its useful existence... -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
