Hi Martin, just to clarify: you add an additional HKDF.Expand step, not HKDF.Extract, right?
You mentioned extract in the email and PR text, but in code it's a second expand---which makes sense, as only expand allows to add context (here: label). Cheers, Felix On 23/02/2017 20:30 -0800, Martin Thomson wrote: > https://github.com/tlswg/tls13-spec/pull/882 contains the longer description. > > In short, the existence of an exporter secret threatens the forward > secrecy of any exported secret. This is a problem for QUIC and is > likely to be a more general problem. > > The proposed fix is small: separate exporters into two steps > (extract+expand) where the first step allows for separation based on > exporter type and the second on context. That allows an endpoint to > keep separate secrets for each exporter type and discard those that it > no longer needs, thus gaining forward secrecy if it likes. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
