Keying Material Exporters

[lqf96]

WebTransport over HTTP/2 should support keying material exporters, originally proposed in ietf-wg-webtrans/draft-ietf-webtrans-http3#116, since it's also based on TLS 1.3. Perhaps this can be done by simply copying Section 4.7 of WebTransport over HTTP/3 Spec and making minimal adaptations.

[DavidSchinazi]

Chair: Discussed at IETF 120. In general this should mimic what we did in h3. There is however one wrinkle: HTTP/2 can run over TLS 1.2, and TLS key exporters are unsafe when using TLS 1.2 without the extended master secret extension. Our options are to either

• allow the W3C API to fail
• forbid the use of WebTransport over h2 unless TLS >= 1.3 or TLS == 1.2 && extended master secret extension enabled

[DavidSchinazi]

Discussed in editor's call. Sense of the room was to forbid the use of WebTransport over h2 unless TLS >= 1.3 or TLS == 1.2 && extended master secret extension enabled. We also noted that the overview document says SHOULD use TLS version 1.3 or later. Please comment on this issue if you have an opinion, otherwise we'll ask someone to write a PR.

[martinthomson]

Damn, I thought we'd already required the use of session hash in HTTP/2. I guess we didn't. This is the only reasonable thing to do if you use exporters, so 👍 from me.