I support some variation of 2 or 3, depending on what encounters the most
resistance. I agree there is no technical reason to disallow it for e.g.
X25519MLKEM768 and not X25519, but in practice it might be easier to set a new
rule for something that's still being rolled out and still a draft.
Both ECDH and KEMs support key share (or public key) reuse *in theory* but in
practice it makes implementation issues much more likely to be practically
exploitable, and the hypothetical performance gain of reuse is marginal. The
spec should defend against that and point implementations towards the safer
course of action.
As always, there is no protocol police, so implementations that want to risk
shooting their foot off will be able to do so, but they will be off-spec, which
is a useful signal.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
