"The oprf_seed value SHOULD be used for all clients; see {{preventing-client-enumeration}}."
The reason being that the leakage of this global value would compromise security for all users that depend on this value, and one could arguably improve security of the protocol against this kind of compromise by sampling independent OPRF keys. However, we still keep the recommendation to use the global seed value in this way in favor of protecting against client enumeration attacks.
But, applications that don't care about preventing client enumeration can feel free to use independently-sampled OPRF keys.
We are adding a caveat to the original text,
"The
oprf_seedvalue SHOULD be used for all clients; see {{preventing-client-enumeration}}."The reason being that the leakage of this global value would compromise security for all users that depend on this value, and one could arguably improve security of the protocol against this kind of compromise by sampling independent OPRF keys. However, we still keep the recommendation to use the global seed value in this way in favor of protecting against client enumeration attacks.
But, applications that don't care about preventing client enumeration can feel free to use independently-sampled OPRF keys.