Scenario: pre-knowledge of server static public key, but need to authenticate the clients (can be multiple). Out of hydrogen's currently supported patterns, only KK and XX provide client authentication. However, KK requires that the server knows the client's key from the start, which isn't a good fit when there are multiple clients, and XX would proceed with working communication even when we've connected to the wrong server (would need to explicitly check the server's key). Right?
IK avoids these drawbacks. It is also the pattern used by WireGuard (of course, we're not talking compatibility here, just precedent that a reputable project in a similar scenario made that choice).
X is the first packet in IK, so can be had with no added code. It will also provide a way to start communication before the IK handshake completes, initially at weaker security properties.
Scenario: pre-knowledge of server static public key, but need to authenticate the clients (can be multiple). Out of hydrogen's currently supported patterns, only KK and XX provide client authentication. However, KK requires that the server knows the client's key from the start, which isn't a good fit when there are multiple clients, and XX would proceed with working communication even when we've connected to the wrong server (would need to explicitly check the server's key). Right?
IK avoids these drawbacks. It is also the pattern used by WireGuard (of course, we're not talking compatibility here, just precedent that a reputable project in a similar scenario made that choice).
X is the first packet in IK, so can be had with no added code. It will also provide a way to start communication before the IK handshake completes, initially at weaker security properties.