In general one has to generate the directional traffic keys independently due to read/write epochs changing at different times, so I'd prefer it left as is. (In BoringSSL, we also generate the directional keys independently. I'd often wished that TLS 1.2 was the same.)
The switch from handshake to traffic_secret_0 happens at different points because the key change happens immediately after Finished on both sides (this is important otherwise a server alert on bad client certificate is unreadable). From traffic_secret_N to traffic_secret_N+1 is similarly asymmetric because of KeyUpdate skew. Not that it's a huge deal either way. David On Wed, Aug 17, 2016 at 6:10 PM Eric Rescorla <[email protected]> wrote: > Issue: > https://github.com/tlswg/tls13-spec/issues/555 > > ADL suggested that we could slightly reduce the number of HKDF > computations by generating the IVs as a single block rather than > with individual HKDF-Expands. You can't generally do this kind > of slice-and-dice and preserve the key boundary, but IVs are > public anyway. > > At least for NSS, this makes things slightly more complicated > because we generate the directional traffic keys independently, > but it's also not a big deal to change if people want. > > Comments in favor or against? > > > > > > > > > > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
