On Thu, Jan 04, 2024 at 11:42:13AM +0000, Tschofenig, Hannes wrote: > Hi all, > > we have just submitted a draft that extends the key update > functionality of TLS/DTLS 1.3. We call it the "extended key update" > because it performs an ephemeral Diffie-Hellman as part of the key > update. > > The need for this functionality surfaced in discussions in a design > team of the TSVWG. The need for it has, however, already been > discussed years ago on the TLS mailing list in the context of long- > lived TLS connections in industrial IoT environments. Unlike the TLS > 1.3 Key Update message, which is a one-shot message, the extended Key > Update message requires a full roundtrip. > > Here is the link to the draft: > https://datatracker.ietf.org/doc/draft-tschofenig-tls-extended-key-update/
Some quick comments: - The supported_groups in EE is optional. The group used in initial handshake is always considered supported, right? - I can't quite parse what is going on in figure 3. - The endpoint sending EKU with update_requested is the initiator for groups that have asymmetric roles, right? - Crossed extended key update with DTLS sounds complicated enough that there should be an argument it works even with various message loss or reordering patterns. - TLS 1.3 limits labels in key schedule to 12 bytes (so that all the data fits into SHA256 block), but the label used here appears to be 13 bytes. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
