Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of ephemeral keys. This was the consensus of the working group during the development of TLS 1.3. There has been more recent discussion on the list to forbid reuse for ML-KEM/hybrid key exchange. There are several possible options here:
1. Keep things as they are (ie. say nothing, as was done in previous TLS versions, to forbid the reuse of ephemeral keys) - this is the default action if there is no consensus 2. Disallow reuse for specific ciphersuites. It doesn’t appear that there is any real difference in this matter between MLKEM/hybrids and ECDH here except that there are many more ECDH implementations (some of which may reuse a keyshare) 3. Update 8446 to disallow reuse of ephemeral keyshares in general. This could be done by revising RFC 8446bis or with a separate document that updates RFC 8446/bis We would like to know if there are folks who think the reuse of keyshares is important for HTTP or non-HTTP use cases. Thanks, Joe, Deirdre and Sean
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
