Hi Thom, Thanks, we are on the same page. Some notes inline:
On 20.11.25 01:55, Thom Wiggers wrote:
Op 19 nov 2025, om 21:32 heeft Muhammad Usama Sardar <[email protected]> het volgende geschreven:On 19.11.25 06:36, Thom Wiggers wrote:And indeed, what applies to the Main Secret applies to the other “internal” keys just as well.By "internal keys" you mean all the keys in the TLS 1.3 key schedule except for "exporter value" as defined in Sec. 7.5 of RFC8446bis, right?In other words, the set of "/external/ keys" would have just two keys: 1. "early" exporter value (which takes only ClientHello from handshake) 2. Exporter value (which takes up to ServerFinished from handshake)That sounds about right. Maybe even more strictly, the values _derived from_ the exporter values when the API is called are “external”, as we have some semantics attached to their properties and use outside the handshake.
cool, thanks for confirmation. We are on the same page.
Thanks for this pointer. I see their distinction between internal and external.See https://eprint.iacr.org/2020/1044.pdf
Sure, I asked because I could not find "internal keys" in RFC8446bis. I just wanted to be sure that we are saying the same thing.I was not being super precise or formal here, anyway [1].
[1] Note that I think that most people are not always being formal or even very precise on this mailing list and in other discussions around the IETF.
Well, I disagree: when Hosnieh is claiming a security concern related to key schedule, she has to be precise about the keys. In particular, the way she is equating PSK to Main Secret is just wrong. Doing it repeatedly after being corrected a couple of times seems like intentional spamming to me.
Besides, making claims such as many systems are using PSK-only handshakes without providing a single example is just illogical to me.
-Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
