Closed emanjon closed 1 year ago
emanjon
commented
1 year ago Found that Illari raised this on the TLS list in October but Illari's comment did not seem to get any response which is also surprising. You can probably get a paper published by investigating how reuse of key shares enables tracking.
https://mailarchive.ietf.org/arch/msg/tls/pv4p1tAwIJXxjad7myyveAubQIo/
emanjon
commented
1 year ago For clients the considerations seems very similar to reuse of tickets. The client is in charge of its own privacy. The server side seems more worrying. A server reusing key shares between two clients can be used by an attacker to correlate connections between two different clients and use that to figure out the server even when ECH is used.
emanjon
commented
1 year ago Motivation for normative SHOULD NOT (or MUST NOT) change can be found in charter-ietf-tls-06
Security and privacy goals will place emphasis on the following:
I cannot find anything in the document regarding this which is surprising as reusing key shares enables tracking
I cannot find anything in the document that states that reuse of keys are allowed or forbidden but my understanding from earlier discussions in the TLS WG is that this is allowed as summarized in draft-ietf-tls-hybrid-design
TLS 1.3 does not require that ephemeral public keys be used only in a single key exchange session; some implementations may reuse themKey shares should probably have similar text as Tickets
Clients SHOULD NOT reuse a ticket for multiple connections. Reuse of a ticket allows passive observers to correlate different connections.But the requirement for key share applies to both clients and servers.
The sentence "This addition prevents passive observers from correlating connections unless tickets are reused." is not correct unless both tickets and key shares are not reused.