On 11.09.25 20:20, Eric Rescorla wrote:
> > ## 7.2 > > > Once the handshake is complete, it is possible for either side to > update its sending traffic keys. > > keys -> key. > > > application_traffic_secret_0 ... application_traffic_secret_N ... > application_traffic_secret_N+1 > > It might be better to use a single `application_traffic_secret` > instead of multiple `application_traffic_secret_XXX`: > > ``` > application_traffic_secret = > HKDF-Expand-Label(application_traffic_secret, > "traffic upd", "", Hash.length) > ``` In my opinion this would be less clear.
In general, I would have appreciated being more explicit on the key schedule [1], but on the above point, I agree with Ekr. In particular, the notation is sufficiently clarified in the sentence next to the one which is quoted above, i.e.,
> The next generation of traffic keys is computed by generating client_/server_application_traffic_secret_N+1 from client_/server_application_traffic_secret_N
Usama [1] https://github.com/tlswg/tls13-spec/pull/1395/files
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
