"Cranking the KDF" suffices for providing "subkeys" that are cryptographically intractable, which should address the concern of "too much plaintext under the same key". That's less than what I'd consider a "full re-key". And even then "cranking the KDF" with something newly-random isn't a bad idea at all.
I don't think common crypto expertise would disagree. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Salz, Rich Sent: Monday, December 28, 2015 16:09 To: Blumenthal, Uri - 0553 - MITLL; Eric Rescorla Cc: Florian Weimer; [email protected] Subject: RE: [TLS] Data volume limits > When the key is changed, the change procedure should involve new randomness. I don't think this is necessary, and I don't think the common crypto expertise agrees with you, either. But I am not a cryptographer, maybe one of the ones on this list can chime in. "Crank the KDF" suffices.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
