Hi Usama,

The issues raised by the FATT team (see
https://datatracker.ietf.org/meeting/125/materials/slides-125-tls-sessa-fatt-report-on-eku-00)
have been addressed in earlier versions of the draft:

1. Key schedule / transcript (slide 10): Section 7 now maintains a running
transcript hash. Each new main secret is bound to the initial handshake and
all previous EKU exchanges.
2. Session ticket resumption (slide 11): Section 7 requires endpoints
enabling EKU to disable resumption when the PSKs reside in memory within
the rich OS.

In addition, the issue you raised in
https://github.com/tlswg/tls-key-update/issues/100 has also been addressed
in earlier versions.

An implementation is available at https://github.com/yaroslavros/rustls/.

If your analysis shows an attack, please share the details.

-Tiru

On Sat, 4 Jul 2026 at 22:10, Muhammad Usama Sardar <
[email protected]> wrote:

> Hi Hannes, Michael, Tiru, Steffen, and Yarolsav,
>
> I've seen the diff. It seems like just a PQ-wrapper around -12. Could
> you please help me understand how my substantial technical concerns from
> IETF 125 have been addressed? Based on my formal analysis, the spec --
> as it is now -- can still lead from high to critical severity
> vulnerabilities.
>
> Is there any proof-of-concept or implementation of this spec where I can
> test my attacks?
>
> Best,
>
> -Usama
>
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to