On Tue, Sep 17, 2019, at 11:26, Martin Thomson wrote: > What we learned from TLS 1.3 is that HKDF is effectively a completely > different KDF when it is used with a different hash function.
Hugo points out that I should clarify this to add: One should not use HKDF with two hash functions (or more generally two KDF functions) and the same IKM. The same way as you should not use two different cryptographic functions with the same key. This is an idea that this draft exists to support, so it needs to be very careful about how it does the same itself. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
