On Mon, Feb 19, 2024, at 04:44, Eric Rescorla wrote: > I wouldn't object to more analysis, but given the relatively narrow > remit of this > document and that changing the key schedule would obviously create wire > format incompatibilities, I wouldn't want to do that absent some > evidence > that the change was insecure as opposed to unnecessary.
If the concern is that the protocol has some unnecessary steps, that's not something that we should fix unless there was a credible concern about security raised. At that point, we'd definitely want more analysis. As it stands, there is an assertion that this extra Derive-Secret call is wasteful. That might be true, but for a protocol that secures billions of connections each day, I would say that the standard required to make a change is a bit higher than "might be wasteful". Yes, the cost of any waste is amplified by a very large factor, but the cost of a change -- any change -- is significantly higher, at least in my reckoning. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
