Hi Usama, The issues raised by the FATT team (see https://datatracker.ietf.org/meeting/125/materials/slides-125-tls-sessa-fatt-report-on-eku-00) have been addressed in earlier versions of the draft:
1. Key schedule / transcript (slide 10): Section 7 now maintains a running transcript hash. Each new main secret is bound to the initial handshake and all previous EKU exchanges. 2. Session ticket resumption (slide 11): Section 7 requires endpoints enabling EKU to disable resumption when the PSKs reside in memory within the rich OS. In addition, the issue you raised in https://github.com/tlswg/tls-key-update/issues/100 has also been addressed in earlier versions. An implementation is available at https://github.com/yaroslavros/rustls/. If your analysis shows an attack, please share the details. -Tiru On Sat, 4 Jul 2026 at 22:10, Muhammad Usama Sardar < [email protected]> wrote: > Hi Hannes, Michael, Tiru, Steffen, and Yarolsav, > > I've seen the diff. It seems like just a PQ-wrapper around -12. Could > you please help me understand how my substantial technical concerns from > IETF 125 have been addressed? Based on my formal analysis, the spec -- > as it is now -- can still lead from high to critical severity > vulnerabilities. > > Is there any proof-of-concept or implementation of this spec where I can > test my attacks? > > Best, > > -Usama > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
