So the actual impact here is that an attacker who has compromised a key can introduce a gap. Aren't there other options available to such an attacker? Scarier options?
On 18 December 2015 at 07:01, Cedric Fournet <four...@microsoft.com> wrote: > > We propose to revert this change (that is, to reset the sequence > number each time a new key is installed, as in TLS 1.2). If the > chaining is still required for some other reason, one could instead > include the old sequence number in the new key derivation (or the new > key's additional data, but we believe this is no longer an option). Even with my question above, this seems reasonable to me. I'll note that chaining in the way you describe would require that the rekey message (the last message of the previous epoch) would need to be retransmitted in DTLS. That seems more brittle, but we probably want to retransmit anyway, since that would let use remove the explicit epoch from DTLS packets. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
