On Mon, Oct 20, 2025 at 07:16:06PM +0200, Muhammad Usama Sardar wrote: > Dear authors, > > Thank you for adding security considerations. Since the issue [0] was > closed, I am having a real tough time understanding how PR [1] mentioned in > the issue is addressing /all/ my concerns in the issue. Please help me > understand that.
Looking at the updates, the tie-break comparison honestly yielding equality is not impossible, merely extremely unlikely. For example, probability of 2^-251 for X25519, or 2^-256 for any stand-alone ML-KEM. And I do not see any discussion about which key(s) is/are compromised, and that matters. For example, compromising both active application traffic secrets (for example via some sort of bleeding of either endpoint) completely destroys security. And as another example, both active AEAD keys being compromised would allow supressing key updates as long as endpoints allow that. > [0] https://github.com/tlswg/tls-key-update/issues/59 > > [1] https://github.com/tlswg/tls-key-update/pull/62 -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
