The discussion on the list supports the consensus in the IETF 95 meeting to remove DHE-based 0-RTT modes. The mode should be removed from the draft.
Cheers, J&S On Tue, Mar 29, 2016 at 6:11 AM, Sean Turner <s...@sn3rd.com> wrote: > All, > > To make sure we’ve got a clear way forward coming out of our BA sessions, > we need to make sure there’s consensus on a couple of outstanding issues. > So... > > There also seems to be (rougher) consensus not to support 0-RTT via DHE > (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT mode > as PSK. The security properties of PSK-based 0-RTT and DHE-based 0-RTT are > almost identical, but 0-RTT PSK has better performance properties and is > simpler to specify and implement. Note that this does not permanently > preclude supporting DHE-based 0-RTT in a future extension, but it would not > be in the initial TLS 1.3 RFC. > > If you think that we should keep DHE-based 0-RTT please indicate so now > and provide your rationale. > > J&S > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls