This change updates the EKU key schedule to explicitly include the previous transcript hash. This ensures that the new traffic keys are anchored to the entire transcript history, providing full transcript continuity. While the previous version had secret continuity through recursive chaining, it lacked transcript continuity.
Thanks to Thom Wiggers for raising this issue. Best Regards, -Tiru ---------- Forwarded message --------- From: <[email protected]> Date: Thu, 19 Feb 2026 at 10:33 Subject: [TLS] I-D Action: draft-ietf-tls-extended-key-update-09.txt To: <[email protected]> Cc: <[email protected]> Internet-Draft draft-ietf-tls-extended-key-update-09.txt is now available. It is a work item of the Transport Layer Security (TLS) WG of the IETF. Title: Extended Key Update for Transport Layer Security (TLS) 1.3 Authors: Hannes Tschofenig Michael Tüxen Tirumaleswar Reddy Steffen Fries Yaroslav Rosomakho Name: draft-ietf-tls-extended-key-update-09.txt Pages: 40 Dates: 2026-02-18 Abstract: TLS 1.3 ensures forward secrecy by performing an ephemeral Diffie- Hellman key exchange during the initial handshake, protecting past communications even if a party's long-term keys (typically a private key with a corresponding certificate) are later compromised. While the built-in KeyUpdate mechanism allows application traffic keys to be refreshed during a session, it does not incorporate fresh entropy from a new key exchange and therefore does not provide post- compromise security. This limitation can pose a security risk in long-lived sessions, such as those found in industrial IoT or telecommunications environments. To address this, this specification defines an extended key update mechanism that performs a fresh Diffie-Hellman exchange within an active session, thereby ensuring post-compromise security. By forcing attackers to exfiltrate new key material repeatedly, this approach mitigates the risks associated with static key compromise. Regular renewal of session keys helps contain the impact of such compromises. The extension is applicable to both TLS 1.3 and DTLS 1.3. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-tls-extended-key-update/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-tls-extended-key-update-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-extended-key-update-09 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
