Support for PSK handshakes

[artoniemi]

We need to add a way to transmit evidence in PSK-handshakes which do not (*) include Certificate (CT) and CertificateVerify (CV) messages. Some possibilities include:

• Server can send the evidence or results in EncryptedExtensions
• Client could send evidence or results in ClientHello extension (then server does not get freshness guarantee, but this might be acceptable e.g. in passport model
• Both parties can send evidence over the established TLS session and include channel bindings in evidence (requires an extra roundtrip)

(*): RFC 8446 is not 100% clear whether sending CT and CV is forbidden in PSK handshakes, but it is strongly implied. For example 2.2. says "As the server is authenticating via a PSK, it does not send a Certificate or a CertificateVerify message." It's likely that many TLS implementations abort the handshake when encountering CR, CT or CV in a PSK handshake.

[ionut-arm]

Client could send evidence or results in ClientHello extension (then server does not get freshness guarantee, but this might be acceptable e.g. in passport model

This also assumes that the server is happy to accept that specific type of evidence / result, without negotiation. This is maybe more acceptable in PSK mode since there's an implied existing relationship between the peers which could include pre-agreement of the formats / identities.

[thomas-fossati]

Let's bring this to the mailing list.

Action for @thomas-fossati