Illari wrote: Should there be "SHOULD NOT reuse key shares between client hellos"? I did't find such requirement (or maybe it is there but I just missed it), which I think is odd, given that there is similar requirement for tickets, and reusing key shares has similar impact as reusing tickets.
Such reuse is especially bad if SNI differs, or if the group is not actually safe for key reuse. (In case of hybrid key exchanges, implementations might reuse shares within the same client hello. E.g., reusing the same X25519 key both for x25519 and x25519+kyber768.) I also thought about this when reading the text about tickets and created an issue, then I found this. I am surprised that this did not get any responses on the list. This is quite a big issue. I really hope that HTTP/2 and HTTP/3 implementations are not doing this. https://github.com/tlswg/tls13-spec/issues/1285 Cheers, John
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls