https://github.com/tlswg/tls13-spec/pull/882 contains the longer description.
In short, the existence of an exporter secret threatens the forward secrecy of any exported secret. This is a problem for QUIC and is likely to be a more general problem. The proposed fix is small: separate exporters into two steps (extract+expand) where the first step allows for separation based on exporter type and the second on context. That allows an endpoint to keep separate secrets for each exporter type and discard those that it no longer needs, thus gaining forward secrecy if it likes. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
