Closed emanjon closed 6 months ago
emanjon
commented
8 months ago Christian Huitema pointed out in a private discussion that alternatively the PSK can be encrypted instead of the PSK ID. This is already used in real-world systems, e.g., IETF ACE. I think it would be good to mention that as well. This is very similar to the TLS internal session tickets but external to TLS.
martinthomson
commented
8 months ago Does this need more words to describe what sort of encryption would be acceptable?
Something that included a nonce would be OK, just as something rerandomizable would. But something that is effectively static would not achieve the stated goal.
seanturner
commented
7 months ago @emanjon thoughts?
ekr
commented
6 months ago I am just going to merge this minimal change. We're giving people a hint, not telling them how to design it.
Based on Christian Huitema discussion of potential solutions. https://mailarchive.ietf.org/arch/msg/tls/QuKsIu1gZFDfLn1x-ZnOE_LQxyc/
Encrypting the PSK identity using mechanisms external to TLS is missing in the current text. I added as little as possible. I did not go into details of the external encryption (could be asymmetric, symmetric group key, or pairwise symmetric with trial decryption).