On Thu, Sep 19, 2019, at 01:41, Christopher Wood wrote: > Ah, so, I think this is where the miscommunication is happening! The > target KDFs I've been envisioning are not protocol specific.
As HKDF and the TLS 1.2 PRF are not the same function, wouldn't it be better to have separate identifiers? Sure, we could rely on the `protocol` field to diversify the output, but I think that we should be applying the same principle throughout, namely that the one key is only used with the one KDF instantiation. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
