It is not quite as simple as saying "(1) makes proofs more complicated" since it depends on what you are trying to prove.
(1) makes some styles of standard AKE property proofs (key secrecy, authentication) harder (2) might make some privacy proofs harder Given that the proof-effort has mostly focused on secrecy and authentication properties, one can argue for (2). However, some proof styles can still work out in (1), so it is not such a clear choice. Over time, I've changed my mind, and I now prefer (2) (since we don't have full detail on any privacy proofs) as long as the content-type essentially boils down to a single bit of information (which key we are using) and nothing else. FWIW, Cas On Tue, Jun 14, 2016 at 1:12 PM, Hannes Mehnert <han...@mehnert.org> wrote: > On 13/06/2016 21:27, Daniel Kahn Gillmor wrote: > > On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote: > >> 1. Use the same key for handshake and application traffic (as in the > >> current draft-13) > >> > > > or > >> > >> 2. Restore a public content type and different keys > > > > Given this choice, i prefer (1). > > FWIW, I prefer (1) as well > > > hannes > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
