Hi Muhammad,
> Op 19 nov 2025, om 21:32 heeft Muhammad Usama Sardar
> <[email protected]> het volgende geschreven:
>
> Hi Thom,
>
> Many thanks for clarification. Another small clarifying question inline:
>
> On 19.11.25 06:36, Thom Wiggers wrote:
>>
>> And indeed, what applies to the Main Secret applies to the other “internal”
>> keys just as well.
> By "internal keys" you mean all the keys in the TLS 1.3 key schedule except
> for "exporter value" as defined in Sec. 7.5 of RFC8446bis, right?
>
> In other words, the set of "external keys" would have just two keys:
>
> "early" exporter value (which takes only ClientHello from handshake)
> Exporter value (which takes up to ServerFinished from handshake)
That sounds about right. Maybe even more strictly, the values _derived from_
the exporter values when the API is called are “external”, as we have some
semantics attached to their properties and use outside the handshake.
I suppose that some could consider the application traffic keys external keys,
because there is some use case in which you load them into some encryption
offload thingy. Another fun and weird way to view things is in the multi-stage
model where some keys need different different handling of oracle queries for
the keys that are used for encryption (“external”) in the handshake versus keys
that are only derived as intermediate values. But that’s a bit of a modelling
artefact. See https://eprint.iacr.org/2020/1044.pdf
I was not being super precise or formal here, anyway [1]. I initially mostly
meant this in a “how you should interact with a plausible implementation of
TLS” kind of way. I don’t think anyone was particularly confused about that
general idea, even if the exact concept was maybe fuzzy(?)
Cheers,
Thom
[1] Note that I think that most people are not always being formal or even very
precise on this mailing list and in other discussions around the IETF. When
people intend to be formal and precise, they usually indicate this somehow e.g.
by writing/referencing actual specs.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
