I prefer option 1. Russ
> On Dec 12, 2024, at 12:35 PM, Joseph Salowey <j...@salowey.net> wrote: > > Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of ephemeral > keys. This was the consensus of the working group during the development of > TLS 1.3. There has been more recent discussion on the list to forbid reuse > for ML-KEM/hybrid key exchange. There are several possible options here: > > Keep things as they are (ie. say nothing, as was done in previous TLS > versions, to forbid the reuse of ephemeral keys) - this is the default action > if there is no consensus > Disallow reuse for specific ciphersuites. It doesn’t appear that there is > any real difference in this matter between MLKEM/hybrids and ECDH here except > that there are many more ECDH implementations (some of which may reuse a > keyshare) > Update 8446 to disallow reuse of ephemeral keyshares in general. This could > be done by revising RFC 8446bis or with a separate document that updates RFC > 8446/bis > > We would like to know if there are folks who think the reuse of keyshares is > important for HTTP or non-HTTP use cases. > > Thanks, > > Joe, Deirdre and Sean
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
