On Sun, Mar 08, 2026 at 11:49:36PM +0100, Muhammad Usama Sardar wrote: > Hi John, > > Thanks for initiating this discussion and sharing your insightful comments. > > On 08.03.26 10:32, John Mattsson wrote: > > Any potential problems would be in the composition between MLS and TLS > > 1.3. > It seems clear that formal analysis would be required for this draft. > > - The security considerations could be expanded. > > I agree and I will be happy to work with Russ to address this concern, as we > worked for 8773bis before. > > In general, I really appreciate the document structure, in particular the > "Motivation and Design Rationale" section.
This looks like a massive change to TLS 1.3, and one that would not be a small tweak to existing analysis (like 8773bis or EKU), but require a whole new analysis. Furthermore, I think this mechanism is far too complex for updating shared secrets, with huge amount of accidental complexity. There is absolutely nothing "straightforward" about this. As complex as EKU seems, it is mostly essential complexity. Furthermore, the threat model seems just as dubious as the one EKU uses, and I do not think it is even possible to compose MLS and TLS in any remotely reasonable way. Group messaging and transport are to very different things. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
