Hi, TLS WG went through a lot of work (RFC 9258) to make sure that PSKs only be used with a single hash function. But as far as I can see the RFC8446(bis) does not say anything about:
* Using the same cert for TLS client and TLS server * Using the same public key cert for TLS and another protocol (JOSE, COSE, SMIME, IKE, etc, ….) * Using the external PSK for TLS and another protocol. I think it should. - Using the same signature key or PSK for TLS and another protocol is obviously unsecure in the worst case. But probably practically secure in many cases even if nobody has proved it. - Did any of the formal analysis prove that using the same key for TLS client and server is secure? It is quite common that the same node is a TLS server and client. Cheers, John
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
