I support the change. Prohibiting key share reuse is a worthwhile improvement.
Just to be clear about the scope of this change, it only prevents literal reuse of the same share. It does not rule out implementations generating related shares from shared secret material since that is not visible to the client. This change enforces non-reuse, not independence of key shares. -Nick On Mon, Mar 16, 2026 at 2:43 PM Muhammad Usama Sardar < [email protected]> wrote: > On 16.03.26 05:24, Martin Thomson wrote: > > Proposal: > > Prohibit key share reuse in TLS 1.3. > > I support this proposal. As supporting evidence, I'll do and share the > formal analysis of the 6 scenarios that John has kindly shared in some > other thread. I'll be very surprised if any of those will not break the > properties. > > Best regards, > > -Usama > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
