On Fri, Mar 5, 2021, 10:43 AM John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: > > >While renegotiation will never be re-added, there is post-handshake > >authentication (RFC 8446, section 4.6.2), and while that is currently > >about authenticating the _client_ to the server, it should be trivial to > >extend the protocol to support re-authenticating the server to the > >client as well. > > I think the current Post-Handshake authentication is not really suitable for > long-term connections. It assures that the other party is still alive but it > does not shut out any other third parties with access to > application_traffic_secret_N. Such parties may have gotten the key with or > without collaboration with one of the nodes.
The application traffic secret N+1 and the security of the authentication is unaffected by compromise of key N AFAIK. I'm not sure what property you want here that is stronger. Sincerely, Watson Ladd _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
