Folks, As promised, I've written a PR that describes the new negotiation syntax we discussed in Berlin. I also have prototype implementation of this in NSS and it's quite a bit cleaner than the previous negotiation design. I think that others have found the same thing.
https://github.com/tlswg/tls13-spec/pull/559 IMPORTANT: This new negotiation syntax allows for two modes that were not previously available with TLS 1.3: PSK and PSK-(EC)DHE with server-side signatures. This construction should be safe with resumption-PSK (this is why we introduced the resumption_ctx design), but as noted in Antoine's recent message [0], this is not safe with non-resumption PSK with the all-zeroes resumption context that we now use with external PSKs. I have an action item to fix that, so just keep that in the back of your head as you review this PR. Comments welcome. -Ekr [0] https://www.ietf.org/mail-archive/web/tls/current/msg20637.html
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls