With option (2) would the keys end up being independent anyway? I think we might need to share the sequence number space between the handshake messages and the application data messages to avoid truncation attacks. I might have missed this, but was there a proposal to deal with sequence numbers for option (2).
I prefer option (1) since it actually offers some privacy guarantees. Subodh ________________________________________ From: TLS [tls-boun...@ietf.org] on behalf of Björn Tackmann [btackm...@eng.ucsd.edu] Sent: Tuesday, June 14, 2016 1:45 PM To: tls@ietf.org Subject: Re: [TLS] Consensus call for keys used in handshake and data messages Just to be clear: the "+1" I sent earlier meant "I agree with Karthik" -- so it means solution (2). > On Jun 14, 2016, at 1:18 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > wrote: > > Key reuse often ends up causing problems. IMHO a more sound approach is (2). > IMHO it isn't prohibitively expensive either. > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. > Original Message > From: Björn Tackmann > Sent: Tuesday, June 14, 2016 05:23 > To: tls@ietf.org > Subject: Re: [TLS] Consensus call for keys used in handshake and data > messages > > +1 > > >> On Jun 14, 2016, at 7:08 AM, Karthikeyan Bhargavan >> <karthik.bharga...@gmail.com> wrote: >> >> I prefer (2) >> >>> On 13 Jun 2016, at 22:27, Daniel Kahn Gillmor <d...@fifthhorseman.net> >>> wrote: >>> >>> On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote: >>>> 1. Use the same key for handshake and application traffic (as in the >>>> current draft-13) >>>> >>>> or >>>> >>>> 2. Restore a public content type and different keys >>> >>> Given this choice, i prefer (1). >>> >>> --dkg >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e= >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e= > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e= > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e= _______________________________________________ TLS mailing list TLS@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e= _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
