On Wed, Mar 18, 2026, at 00:09, Ben Schwartz wrote: > The support for this change is clearly overwhelming, but I'm still > confused about the motivation. > > In Happy Eyeballs v3 (and many modern clients), TLS and QUIC connection > setup races in parallel. (Racing between multiple TLS or multiple QUIC > connections is also possible.) Requiring separate keyshares for each > of these connection attempts doesn't improve key separation or forward > secrecy, but it does meaningfully increase the client's CPU cost.
Are you aware of any implementation that might share key share values between TLS/TCP and QUIC handshakes? It seems like that would require inordinate amounts of engineering to achieve. Also, if both server and client take the same shortcut, that's not going to produce a great outcome. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
