I'd like to raise another point. Static Diffie-Hellman is a cryptographically problematic construction. Not only was it found to be fragile to implement in the prime field variant (LogJam), the Elliptic Curve variant has recently been identified as troublesome as well (see recent JWE vulnerability https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html and CVE-2017-8932). Furthermore, many post-quantum key exchange mechanisms cannot be secured with repeated key shares (SIDH is one example).
Encouraging (or worse, standardizing) the repeated use of a key share seems risky and shortsighted. For this reason, and the fact that there are alternative techniques to achieve the same goals (put the symmetric key material in a serverhello extension encrypted with an exfiltration key, for example), I don't think this proposal should be considered. If alternative proposals come are presented that don't require key shares to be reused, I am not against discussing them. Nick On Sat, Jul 15, 2017 at 10:16 AM Dobbins, Roland <rdobb...@arbor.net> wrote: > > > > On Jul 15, 2017, at 16:05, Dobbins, Roland <rdobb...@arbor.net> wrote: > > > > There is plenty of information on these topics available on the Internet > today. > > At the risk of self-replying, it should also be noted that highly > informative discussions of these challenges, & detailed presentations > thereof, have taken place in WG meetings at previous IETF meetings. > > There has also been ample time since those discussions & presentations to > gain additional understanding & insight. > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls