On Wed, Sep 24, 2025 at 2:47 PM Martin Thomson <[email protected]> wrote:
> On Thu, Sep 25, 2025, at 03:08, Eric Rescorla wrote: > > On Wed, Sep 24, 2025 at 5:13 AM John Mattsson > > <[email protected]> wrote: > >> ”The key_exchange values for each KeyShareEntry MUST be generated > independently” > >> > >> this seems like a weird way to try to partially protect against bad > implementations that violate NIST requirements and use Key Share entries in > more than one execution of key-establishment. > > > > This text is not about multiple executions of key-establishment but > > about multiple KeyShareEntries in the same protocol run. > > That wouldn't be an issue if we didn't allow key share reuse across > connections. I'm not sure that's true. IIRC the rationale for this text was a concern that key shares from different groups in the same connection would be mathematically related. -Ekr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
