Hey all,
So TLS 1.2 has a mechanism for PSKs. We attempted to mirror it in TLS 1.3
via the external PSK mechanism, repurposing the resumption flow. But the
security proof requires PSKs be associated with a specific hash for key
separation. We use distinguishing labels in the key schedule, but if
That’s definitely a possibility if using a single key that never changes. With
periodically rolling new keys, I’m not sure the risk is much different than
with periodically rolling new versions. Ossifying on updated versions of either
requires the middlebox to take a hard dependency on having
