Hi Hugo,
On 25 February 2017 at 03:47, Hugo Krawczyk <h...@ee.technion.ac.il> wrote: > Martin, > > Which of these two derivation schemes are you proposing? I mean the latter of your two, where you have effectively three layers of HKDF-Expand from the master secret. master secret -> exporter secret exporter secret + exporter type (label) -> specific exporter secret[label] exporter secret[label] + context -> exporter value (Just like what Ilari said.) I think that is easier for implementation reasons to manage. Splitting off from the master secret allows implementations to defer some of the exporter-related processing and decisions until later. > Are you assuming that all uses of the exporter_secret are known at the end of > the handshake? If not, you still need to keep an exporter_secret beyond the > handshake. Yes, this is correct. This assumes that you know the *type* of all exporters you might support. I think that this is a reasonable assumption since each exporter relies on implementing a specification for that exporter and having code for it. For example, you might have a list of supported exporters, for which you could derive the intermediate value. > Thus, both of the above possible derivations are OK from the point of view > of HKDF. Thanks. I thought that it was OK, but having you confirm that makes me much happier. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
