I prefer 2. On Thu, Dec 12, 2024 at 6:37 PM Joseph Salowey <j...@salowey.net> wrote:
> Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of ephemeral > keys. This was the consensus of the working group during the development > of TLS 1.3. There has been more recent discussion on the list to forbid > reuse for ML-KEM/hybrid key exchange. There are several possible options > here: > > > 1. > > Keep things as they are (ie. say nothing, as was done in previous TLS > versions, to forbid the reuse of ephemeral keys) - this is the default > action if there is no consensus > 2. > > Disallow reuse for specific ciphersuites. It doesn’t appear that > there is any real difference in this matter between MLKEM/hybrids and ECDH > here except that there are many more ECDH implementations (some of which > may reuse a keyshare) > 3. > > Update 8446 to disallow reuse of ephemeral keyshares in general. This > could be done by revising RFC 8446bis or with a separate document that > updates RFC 8446/bis > > > We would like to know if there are folks who think the reuse of keyshares > is important for HTTP or non-HTTP use cases. > > > Thanks, > > > Joe, Deirdre and Sean > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
