On Mon, Oct 24, 2022 at 01:07:25PM -0700, Eric Rescorla wrote: > Hi Folks, > > I have just published draft-ietf-tls-rfc8446bis-05, with > the following changes: Should there be "SHOULD NOT reuse key shares between client hellos"? I did't find such requirement (or maybe it is there but I just missed it), which I think is odd, given that there is similar requirement for tickets, and reusing key shares has similar impact as reusing tickets.
Such reuse is especially bad if SNI differs, or if the group is not actually safe for key reuse. (In case of hybrid key exchanges, implementations might reuse shares within the same client hello. E.g., reusing the same X25519 key both for x25519 and x25519+kyber768.) And then section 5.5 contains "SHOULD not". I presume that should be "SHOULD NOT". -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls