On Fri, Jul 20, 2018 at 10:43:48AM +0100, Matt Caswell wrote: > > > On 20/07/18 10:38, Eric Rescorla wrote: > > The issue is not cross-protocol attacks; it's the reuse of PSKs with > > different KDFs, which we don't have any analysis for and which the TLS > > 1.3 document prohibits. > > Can you supply the reference for that prohibition? >
Section 'Pre-Shared Key Extension'. In practicular, the paragraph starting "Each PSK is associated with a single Hash algorithm." That one prohibits using PSK associated with a hash with another hash. However, I did not find prohibition of using PSKs from prior versions of TLS using SHA-256 as the associated hash (as that is the default). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls