On Thu, 12 Dec 2024 at 21:37, Joseph Salowey <j...@salowey.net> wrote: > > Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of ephemeral > keys. This was the consensus of the working group during the development of > TLS 1.3. There has been more recent discussion on the list to forbid reuse > for ML-KEM/hybrid key exchange. There are several possible options here: > > > Keep things as they are (ie. say nothing, as was done in previous TLS > versions, to forbid the reuse of ephemeral keys) - this is the default action > if there is no consensus > > Disallow reuse for specific ciphersuites. It doesn’t appear that there is > any real difference in this matter between MLKEM/hybrids and ECDH here except > that there are many more ECDH implementations (some of which may reuse a > keyshare) > > Update 8446 to disallow reuse of ephemeral keyshares in general. This could > be done by revising RFC 8446bis or with a separate document that updates RFC > 8446/bis > >
I would favour option 3. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
