Hi Hugo,
Following the related sources [1-4], it appears to be - as Eric called
it - a theoretical and futuristic concern. In my understanding, the main
concern was that with the key hierarchy of draft 18:
* the Handshake Secret could collide with binder_key if the attacker
is somehow abl
See full thread here
https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/
See also how this helped analysis here (search for reference [73]
https://inria.hal.science/hal-01528752v3/file/RR-9040.pdf
On Sat, Dec 16, 2023 at 1:16 PM Muhammad Usama Sardar <
muhammad_usama.sar...@tu-
On Sun, Sep 20, 2015 at 9:56 PM, Brian Smith wrote:
> On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote:
>
>> https://github.com/tlswg/tls13-spec/pull/248
>>
>> Aside from some analytic advantages
>>
>
> What are the analytic advantages?
>
The advantages are: a cleaner separation of keys de
On Sun, Sep 20, 2015 at 6:56 PM, Brian Smith wrote:
> On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote:
>
>> https://github.com/tlswg/tls13-spec/pull/248
>>
>> Aside from some analytic advantages
>>
>
> What are the analytic advantages?
>
As I said, a clearer separation between the input ke
On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote:
> https://github.com/tlswg/tls13-spec/pull/248
>
> Aside from some analytic advantages
>
What are the analytic advantages?
Also, a question that applied even to the older design: I remember the an
HKDF paper and the HKDF paper stating that b
