Closed chrysn closed 9 months ago
Good catch! Even though Section 4.3 "Key Update with Forward Secrecy" including that text is about the FS mode, it's good that it gives a heads-up about this point.
Then I think that this point can be also restated in Section 4.5.1 "Handling and Use of Keying Material". The "original context" CTX_OLD is the one including the Bootstrap Master Secret and Bootstrap Master Salt.
We now have text about when not to delete CTX_OLD in the section "Selection of KUDOS Mode". That may be sufficient.
"Once a peer has successfully decrypted and verified an incoming message protected with CTX_NEW, that peer MUST discard the old Security Context CTX_OLD."
When in non-FS mode and CTX_OLD is the original context, the peer can't do that.