TLS 1.0/1.1 extended master secret testing

[jvdsn]

Right now, it is impossible for FIPS modules to claim the TLS 1.0/1.1 PRF as approved, because the ACVP testing does not support the extended master secret[^1]. On the other hand, for TLS 1.2, FIPS now mandates that the extended master secret is used in approved services[^2]. This creates an inconsistent situation between 1.0/1.1 and 1.2. Extended master secret is considered more secure than the master secret, so TLS clients and servers alike want to use it whenever available.

Will extended master secret testing be added to the TLS 1.0/1.1 PRF?

[^1]: FIPS 140-3 IG D.Q, Additional Comment 1 ("However, it can only be used in the approved mode if CAVP tested. If no CAVP testing is available, there will be no vendor affirmed option") [^2]: FIPS 140-3 IG D.Q, Resolution ("A new validation, or any revalidation that extends the module’s sunset date, submitted more than one year after the publication date of this IG shall use the extended master secret in the TLS 1.2 KDF")

[livebe01]

Hi @jvdsn, sure this is something we will do. It looks like we've had it on our todo list for some time. I can't tell you when this will be done. Our development focus right now is on the PQC algorithms. But this is something we can work on the side along with handling GitHub tickets.

[jvdsn]

@livebe01 of course. I understand you're very busy right now with PQC algorithms, the upcoming Ascon LWC standard, and possible additions to SP 800-132.