Hi all, I was wondering why the design of the key exporter is such that it is based on the early_exporter_master_secret or the exporter_master_secret and no new key export is triggered at a later point in time, for example when a key update is performed. RFC 5705, which is used as a basis for the key exporter design in TLS 1.3, just states that there are protocols that want to obtain keying material from the TLS exchange. RFC 5705 nor the TLS 1.3 spec indicate the design rational of why no later events (e.g. post-handshake authentication or key updates) trigger a new key export. Was this done on purpose or was there just no use case for it at that time?
Ciao Hannes
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
