This is a good idea. On 10 February 2017 at 08:15, Eric Rescorla <[email protected]> wrote: > - Address a potential issue raised by Trevor Perrin where an attacker > somehow forces the IKM value to match the label value for Derive-Secret, > in which case the output of HKDF-Extract would match the derived secret. > This doesn't seem like it should be possible for any of the DH variants > we are using, and it's not clear that it would lead to any concrete > attack, but in the interest of cleanliness, it seemed good to address.
Just to highlight this point: if we need to add a PQ key exchange, there is no guarantee that it will have exactly the same properties as the key exchange methods we have today. I expect that need to arise relatively soon, so that's an extra good reason to make this change. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
