Hi Paul, This seems like it could have some unintended consequences in terms of nonorthogonality. Specifically, this extension only works with an asymmetric exchange, so if we made the change you indicate it would have the result that you could do an attestation update with an asymmetric exchange but not a hash ratchet. That might be OK, but it's a bit odd....
-Ekr On Thu, Jan 15, 2026 at 4:24 PM Paul Wouters <paul= [email protected]> wrote: > On Tue, 13 Jan 2026, [email protected] wrote: > > > To address this, this specification defines an extended key update > > mechanism that performs a fresh Diffie-Hellman exchange within an > > active session, thereby ensuring post-compromise security. By > > forcing attackers to exfiltrate new key material repeatedly, this > > approach mitigates the risks associated with static key compromise. > > Regular renewal of session keys helps contain the impact of such > > compromises. The extension is applicable to both TLS 1.3 and DTLS > > 1.3. > > It would be useful, if we are changing KeyUpdate anyway, to also generally > allow some other TLS Extensions to send a message here. One can think > of attestation refreshing being one obvious use case here. > > Paul > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
