Thanks for paticipating in this consensus call. The result is that there is not enough consensus to change the recommendation on the re-use of ephemeral keys to MUST NOT. Note that RFC 8446/8446-bis is silent on the issue and RFC 9325 (BCP 195)[1] provides guidance on conditions for making reuse acceptable. The chairs therefore do not plan for any updates to change 8446 at this point.
Thanks, Joe, Sean, and Deirdre [1] https://www.rfc-editor.org/rfc/rfc9325.html#name-diffie-hellman-exponent-reu On Thu, Dec 12, 2024 at 9:35 AM Joseph Salowey <j...@salowey.net> wrote: > Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of ephemeral > keys. This was the consensus of the working group during the development > of TLS 1.3. There has been more recent discussion on the list to forbid > reuse for ML-KEM/hybrid key exchange. There are several possible options > here: > > > 1. > > Keep things as they are (ie. say nothing, as was done in previous TLS > versions, to forbid the reuse of ephemeral keys) - this is the default > action if there is no consensus > 2. > > Disallow reuse for specific ciphersuites. It doesn’t appear that > there is any real difference in this matter between MLKEM/hybrids and ECDH > here except that there are many more ECDH implementations (some of which > may reuse a keyshare) > 3. > > Update 8446 to disallow reuse of ephemeral keyshares in general. This > could be done by revising RFC 8446bis or with a separate document that > updates RFC 8446/bis > > > We would like to know if there are folks who think the reuse of keyshares > is important for HTTP or non-HTTP use cases. > > > Thanks, > > > Joe, Deirdre and Sean > >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
