Closed rikard-sics closed 1 year ago
Benefit without the fallback is that only method 1 or method 2 need to be implemented. With the fallback both methods need to be implemented.
Security-wise method 1 and 2 should be the same. Both give forward secrecy
We can change updateCtx to only rely on Method 2. Check during interim.
Also means we can simplify computation of X_N, to be X | N instead
Consensus from the interim on September 28 is that this seems fine to do.
Is it fine to only use METHOD 2?
Based on feedback from Christian during IETF 114.