On 2023-01-07, 18:13, "Stephen Farrell" <stephen.farr...@cs.tcd.ie> wrote:
>Hiya, > >On 07/01/2023 15:46, John Mattsson wrote: >> My current understanding is that draft-ietf-tls-esni should require >> that the server MUST NOT reuse a key shares. Unless I miss something >> I suggest adding that and one or two of the above figures to the >> draft. An alternative solution would be to extend the ECH encryption >> to also cover ServerHello. If I understand ECH correctly, the >> ServerHello is still unencrypted. > >I'd support adding a requirement that key shares not be >re-used, either as a general thing or in an ECH-specific >manner. I made an issue and PR for RFC8446bis. For privacy reasons, I think this should be SHOULD NOT as a general thing. For servers using ECH, I think MUST NOT seems motivated. Does MUST NOT lead to DoS problems for servers using x25519? https://github.com/tlswg/tls13-spec/issues/1285 <https://github.com/tlswg/tls13-spec/issues/1285> https://github.com/tlswg/tls13-spec/pull/1286 <https://github.com/tlswg/tls13-spec/pull/1286> Cheers, John
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
