Forbid key share reuse

draft-ietf-tls-rfc8446bis.md → rfc9846.md

@@ -546,6 +546,8 @@ editorial improvements.  In addition, it removes the use of the term
 names where no term was necessary. This document makes the following
 specific technical changes:
 
+- Forbid the reuse of KeyShare values between connections.
+
 - Forbid negotiating TLS 1.0 and 1.1 as they are now deprecated by {{!RFC8996}}.
 
 - Removes ambiguity around which hash is used with PreSharedKeys and
@@ -2366,6 +2368,11 @@ KeyShareEntry values for groups not listed in the client's
 these rules and abort the handshake with an "illegal_parameter" alert
 if one is violated.
 
+Clients and Servers MUST NOT reuse a key share for multiple
+connections.  Because {{RFC8446}} permitted reuse, receiving
+implementations MUST permit reuse by the peer in order to prevent
+interoperability issues.
+
 In a HelloRetryRequest message, the "extension_data" field of this
 extension contains a KeyShareHelloRetryRequest value:
 
@@ -5391,10 +5398,6 @@ applications SHOULD NOT offer tickets across connections that are meant to be
 uncorrelated. For example, {{FETCH}} defines network partition keys to separate
 cache lookups in web browsers.
 
-Clients and Servers SHOULD NOT reuse a key share for multiple connections. Reuse
-of a key share allows passive observers to correlate different connections. Reuse
-of a client key share to the same server additionally allows the server to correlate different connections.
-
 It is RECOMMENDED that the labels for external identities be selected so that they
 do not provide additional information about the identity of the
 user. For instance, if the label includes an e-mail address, then