[TLS] Re: Working Group Last Call for RFC8773bis

Muhammad Usama Sardar Sat, 24 May 2025 08:02:09 -0700

Based on the protocol diagram provided to me by Russ and some preliminary working back then, I do not expect it to break any properties of the TLS protocol under traditional adversary settings. However, I am not into PQ yet, so I can't say anything about whether FATT comments have been addressed.

One nit: According to RFC 5869, the first input of HKDF-Extract is the salt and the second input is the IKM.


So instead of:

Early Secret = HKDF-Extract(External PSK, 0)

it should say

Early Secret = HKDF-Extract(0, External PSK)

I have submitted a PR [1] for this.

[1] https://github.com/tlswg/rfc8773bis/pull/2

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

[TLS] Re: Working Group Last Call for RFC8773bis

Reply via email to