Usama,
Before making any judgments, I kindly ask that you review my earlier
messages where I shared the exact key names I was concerned about. My
intention was only to raise a valid security concern regarding a
possible attack. Unfortunately, instead of addressing it in detail, it
was treated as if I were spamming.
I regret that our communication has left me feeling disappointed. For
this reason, I will not continue the discussion further. If you believe
the protocol is secure enough, I respect your position.
I apologize if my messages caused any inconvenience. I had hoped for
more openness to different perspectives, but I understand your approach.
Thank you for your time and understanding. I will step back from this
conversation now.
Hosnieh
On 11/20/25 10:34 AM, Muhammad Usama Sardar wrote:
Hi Thom,
Thanks, we are on the same page. Some notes inline:
On 20.11.25 01:55, Thom Wiggers wrote:
Op 19 nov 2025, om 21:32 heeft Muhammad Usama Sardar
<[email protected]> het volgende geschreven:
On 19.11.25 06:36, Thom Wiggers wrote:
And indeed, what applies to the Main Secret applies to the other “internal”
keys just as well.
By "internal keys" you mean all the keys in the TLS 1.3 key schedule
except for "exporter value" as defined in Sec. 7.5 of RFC8446bis, right?
In other words, the set of "/external/ keys" would have just two keys:
1. "early" exporter value (which takes only ClientHello from handshake)
2. Exporter value (which takes up to ServerFinished from handshake)
That sounds about right. Maybe even more strictly, the values
_derived from_ the exporter values when the API is called are
“external”, as we have some semantics attached to their properties
and use outside the handshake.
cool, thanks for confirmation. We are on the same page.
See https://eprint.iacr.org/2020/1044.pdf
Thanks for this pointer. I see their distinction between internal and
external.
I was not being super precise or formal here, anyway [1].
Sure, I asked because I could not find "internal keys" in RFC8446bis.
I just wanted to be sure that we are saying the same thing.
[1] Note that I think that most people are not always being formal or
even very precise on this mailing list and in other discussions
around the IETF.
Well, I disagree: when Hosnieh is claiming a security concern related
to key schedule, she has to be precise about the keys. In particular,
the way she is equating PSK to Main Secret is just wrong. Doing it
repeatedly after being corrected a couple of times seems like
intentional spamming to me.
Besides, making claims such as many systems are using PSK-only
handshakes without providing a single example is just illogical to me.
-Usama
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
