Conversation
| if one is violated. | ||
|
|
||
| Clients and Servers MUST NOT reuse a key share for multiple | ||
| connections. Because {{RFC8446}} permitted reuse, receiving |
There was a problem hiding this comment.
What exactly do you mean by receiving implementations?
There was a problem hiding this comment.
Implementations that receive key shares. I believe this to be adequately clear.
|
Thread for reference and easier finding in future |
martinthomson
left a comment
martinthomson
left a comment
There was a problem hiding this comment.
Very good. Ship it.
thomwiggers
left a comment
thomwiggers
left a comment
There was a problem hiding this comment.
The proposed changes are good for the main body. I do think we would do well to consider Nick Sullivan's clarification on the list:
Just to be clear about the scope of this change, it only prevents literal reuse of the same share. It does not rule out implementations generating related shares from shared secret material since that is not visible to the client. This change enforces non-reuse, not independence of key shares.
This is actually an important detail when considering security modeling of TLS 1.3. Putting this clarification that we're still not truly mandating ephemeral key exchange in the security considerations may be useful for future analysts.
|
Well, we don't take a position on how the key shares are generated at all, other than to say:
Separately, I don't think it's helpful to use the terms "ephemeral" and "static". Historically, in TLS, "ephemeral" really meant that the key was explicit in the handshake rather than embedded in a credential. For example, TLS 1.0's "ephemeral RSA" keys were routinely reused. |
|
I am willing to bet that if I ask 10 cryptography academics what "generated independently" means, all of them will assume you are referring to ephemeral key exchange. On the other hand maybe it's better to not have "this doesn't actually mean you need to do ephemeral key exchange" in the document at all, to avoid giving people ideas. |
This text doesn't refer to the relationship between KeyShares in distinct connections at all. It refers to the relationship between the KeyShares in the same connection. |
|
Ah right, that was from another section of the draft. Thanks for the clarification. |
@thomwiggers I don't find the text you quote anywhere in 8446bis or on the list. Could you please clarify which document and section you are referring to? |
4 participants
Per discussion on the list. Note that I put this in the section on KeyShares and then removed the text about the impact of reuse on tracking, as it is no longer applicable.