We already had an extensive discussion on this topic, including a consensus call, and I don't believe that this matches the conclusion of this call.
https://mailarchive.ietf.org/arch/msg/tls/1brhJ5dtxCp1-xYPiKV8tg2uT7k/ Substantively, I am in favor of making a general requirement against reuse for TLS 1.3, but I don't think that having such a requirement in specific cipher suites is good. Thanks, -Ekr On Tue, Mar 18, 2025 at 6:28 AM Filippo Valsorda <fili...@ml.filippo.io> wrote: > I supported and support prohibiting key reuse, and seem to remember > multiple other supporting voices not named John. My impression (which could > be mistaken because these debates are really painful to keep track of) is > actually that objections are in the rough, if we count From headers rather > than Message-ID headers. > > Yes, there is no protocol police, and implementations feeling the Need for > Speed might still do reuse. They might also use all zeroes in place of > random bytes, since memset is faster than any DRBG! It's also easier. The > good news is that we won't have to waste time thinking about how > reuse-based attacks might apply to compliant implementations. > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
