On Mon, Mar 16, 2026 at 02:17:31PM +0000, Ben Schwartz wrote: > I don't understand this. All secrets derived from ECDH also depend on > the (hashed) handshake transcript, including the randoms, so the > resulting shared secrets will never be duplicated between connections. > What am I missing?
You right that there is enough entropy with the small nonces (which have to be kept small), though not in the rest of the handshake. Without enforcement of the non-reuse requirement, I'm not finding the new MUST very credible. An optional enforcement requirement would make this requirement more credible, in the form of a replay cache, might help, but performant replay caches are quite difficult to build. IOW, w/o an optional replay cache enforcement mechanism I think this SHOULD->MUST is just cosmetic. Anyways, I'm mildly in favor of the proposal. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
