On 13/10/16 13:27, Yoav Nir wrote: > Hi, Stephen > >> >> - Wouldn't it be good to encourage minimising re-use of public >> values for multiple key exchanges? As-is, the text sort-of >> encourages use for "many key exchanges" in section 4. > > I don’t think so.
Fair enough, though when I said "minimise" I didn't mean "never re-use." But all you say below is correct, so not that big a deal, but I do think it'd be better to explicitly encourage implementers to roll their private values as often as makes sense in their situation. S. > Re-use reduces the computation cost of an IKE > Responder (or TLS server) without sacrificing security. There was > some discussion of this in CFRG, but I see that it didn’t make it > into RFC 7748, so all I can find is some StackExchange question > ([1]). > > It does make the static keypair valuable. It is definitely not a good > idea to store the private key on-disk and keep it forever, but > generating a new key once in a while and discarding the old key is > usually a good compromise there. > > Anyway key-pair reuse is established practice. Using constant-time > implementations is essential to making this practice safe, and the > Security Considerations sections says just that. > > Yoav > > [1] > http://crypto.stackexchange.com/questions/11012/reuse-of-a-dh-ecdh-public-key >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
