[TLS] Re: KeyShareEntry MUST be generated independently - was Re: Mohamed Boucadair's No Objection on draft-ietf-tls-hybrid-design-15: (with COMMENT) (fwd)

Fri, 24 Oct 2025 17:10:42 -0700 

On Fri, Oct 24, 2025 at 01:52:36PM -0400, Paul Wouters wrote:
> On Fri, 24 Oct 2025, Sean Turner wrote:
> 
> > Subject: [TLS] Re: KeyShareEntry MUST be generated independently - was Re:
> >     Mohamed Boucadair's No Objection on draft-ietf-tls-hybrid-design-15: 
> > (with
> >      COMMENT) (fwd)
> > 
> > Hi! It appears that the emerging consensus here is to make no changes as a 
> > result of this comment.  Mostly this is because it appears that the MUST 
> > will be ignored.
> >  If you disagree with this, please indicate why by 30 October 2025.
> 
> I think reading it context does help to frame the issue properly for
> evaluation:
> 
> https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-15#section-3.2
> 
> 
> A note I have though is as the start of that paragraph states:
> 
>       [TLS13] requires that ``The key_exchange values for each KeyShareEntry
>       MUST be generated independently.'' In the context of this document,
>       since the same algorithm may appear in multiple named groups, this
>       document relaxes the above requirement to allow the same key_exchange
>       value for the same algorithm to be reused in multiple KeyShareEntry
>       records sent in within the same ClientHello.

The text could say:

        [TLS13] requires that ``The key_exchange values for each
        KeyShareEntry MUST be generated independently.'' In the context
        of hybrid algorithms, this independent generation requirement
        also applies across its component algorithms.  However, when a
        component algorithm of a hybrid keyshare is used in more than
        one keyshare within the same ClientHello, either as part of
        another hybrid, or standalone, that same keyshare component MAY
        be used more than once, since ultimately only one of the
        keyshares is used in key derivation: the multiple copies in the
        same ClientHello do not lead to reuse of an ephemeral private
        key, nor are the secrets for separate algorithms thereby derived
        in a manner than might compromise the security of the stronger
        when the weaker is vulnerable to an attack.

-- 
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to