On Sun, Mar 09, 2025 at 12:33:38PM +0000, John Mattsson wrote:
> I find the current situation of key shares being reused without the
> other peer knowing inacceptable and frankly the worst possible option.
In general terms, your expectations are unrealistic, the best you can
do, if you think you're in a position to influence remote server
behaviour, rather than just take an ineffective principled stand, is
detect a duplicate keyshare from a previous connection and abort.
However, you'll be thrilled to learn that it is not possible for a TLS
server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral
ML-KEM keyshare. TLS servers don't have ML-KEM keys, they just perform
encapsulation against the client's public key, so there's nothing for
the server to reuse (KEMs aren't (EC)DH key exchange).
So while the X25519 portion of the server's key could be reused, the
ML-KEM portion will not be.
--
Viktor.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
