IETF Logo Mail Archive

[TLS] Re: I-D Action: draft-ietf-tls-extended-key-update-12.txt

tirumal reddy <kondtir@gmail.com> Tue, 07 April 2026 06:37 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6B7BCD7528B9 for <tls@mail2.ietf.org>; Mon, 6 Apr 2026 23:37:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775543830; bh=UJydWtGqNMJmnWHJkMPUpzP7WHv3FvFbAbbc8Ik7skc=; h=References:In-Reply-To:From:Date:Subject:To; b=XybTthtKf7UmPQ8LkqA7c9hi3B3MYg3RQj0QvmG92Slb0Zf7/bCMhKCegG7mrjkKp 3LE4MP7pujRi1oe4ScZ4xJsv5CuJRq0YlIElbQ9Fyg1hSt6qArI91dZvWKioxnCuxk AAQwU7UYbs7YZcAm1+lJhYs6yr5+PZ9xPOtMSLq4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QhwLjUnPSn75 for <tls@mail2.ietf.org>; Mon, 6 Apr 2026 23:37:09 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CC086D7528B2 for <tls@ietf.org>; Mon, 6 Apr 2026 23:37:09 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-b982518b73fso752781366b.1 for <tls@ietf.org>; Mon, 06 Apr 2026 23:37:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775543828; cv=none; d=google.com; s=arc-20240605; b=aHYe1vW5Cv59nuGZdDBDag4ktRIxFEKZyl1GkzWHug3ZTYeOxE394Ge+r3WlNQCFs1 Cg3ABXsRJFTR+FnDKiMaXS9rwFBfn7DJ22KOMXXmKZpL3nrUrpGmNy7S8Hbk6QgsrXbo KX5OxUsTW6ajwVK6ERF3hH5w1x/v5IZv2Su750p2geoK364xvO2oq4msnmdwxvPkLCco HMR+oKIxp3V9ameWJ2IhZ+2LppVIDYpZxH024fDBhJzatMLNNNmjhvCuKYZWb1+DrK2X vG8Md6EztllUqxFqzy+r2ROcIGiKaLJcLTxk8GBWStOrJAKWRp+/2ETWfIMf5r+OaYmn 8TQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=sKB+Cw4TWh3SVnBGgVdMwEX/dGvklrumMZIeCj9HgZc=; fh=iMQEz7fIE2XtFWqLUMEt8tz+aEDEJVSqHa2ftqd9oME=; b=kcgpnSUIKxhSU/KdN8w8LpVLXkZwmRYxojB7q4ElYSzL4dh6rAL0AVR7Q7ZsqI2A57 Q0QvcThIG2J67Gxk7l149jb/g0IgwM3gVVaCU7Kp9EU/2p9OacObkUlFDX6kYxyGeMaL C2DpieqC/blCH+5ohTmsHVZTz1a43kGzkXTiCozyEWsIRI9nzsVaFCsBkfAVbaV1Bl3Q XGpIORLO/dAa095xnhk58H980cu0iaImNSXHO261EeU5F5NIQ27O++PdGgYwvfrc5I/8 wUHLC3X/bSiRtAvBqQYwJ4FA40vAu7kYbgot3ltVhQVVHQKBb0vNel62EufM72yC7Pt4 RgIw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775543828; x=1776148628; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=sKB+Cw4TWh3SVnBGgVdMwEX/dGvklrumMZIeCj9HgZc=; b=mHfu469RTSR6X2qk1iTA/JE3KsKyWzaw9iO97VPMscO4HMPtk/meSsAW9RLzFlPBN9 +moEABvXR4SxUH/h2m5bMvFYiS6jnn73nlArTVIVruEKliIokDeB285r6TofP666xTqz K7nJkFzSWm25g54zKm8pbtWa7mi7I+iznAePw04EIq/MEk7A23gN/n4QmHDKrNnApmvM dEgpdKRz2adI1nCQDK9y+AJVdD+/FT+3d/ARQ3hbND+r02iF86Hp5skC7CHojIZWpVPc dKQKjC+MrWy4FBbp+/QsaVav87rzaCbcOvmZ4amPVzkEFC3vuTCAMHvtE50Mm6azIR6K 8mDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775543828; x=1776148628; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sKB+Cw4TWh3SVnBGgVdMwEX/dGvklrumMZIeCj9HgZc=; b=fHRNoSNt+KsXupeX1p5/eLAHIlBCT9miIyIgYme6nl6hW6v3Kptt0L/nJcPBmSyneE Ns79honh8ilTgASVdlqK6TMDXToceBJWIurhFcbgVrQ4qSGAydR+0O7EIPUlpNfVezCc 9wsD9trNjs5QHc2nx3nm2q2R8LA05oHmpDjfMiRmyfan9UInM8zd5bObSBDHakjhTavf 5QkonrqMOSS0/jF9k6JKDVfUnuRfoDy8t2YFGuLRb5ODtBuloFrEvYJgNXs0vVPDym3p HBzAbUMG06DwXtleIx5pOdR/Hcq11jhfAYdjCWNNAVoIYMbsUhhTjTAowWuSrPwVRwfc CiCw==
X-Gm-Message-State: AOJu0Yx/bKDyJrhvVYwZVngIZuNK3L9u25QJwxZz61OP+kbbOnEijVkU NEqOhTAzjb5q1Moh0vf2rI0GyyxY1q3tYxgT7T8c01MBvnZSeyNl6vax/x2HS3jxBBC2jEqSDzL FNg1DMfo9aazBHWZjBjxdbyv2bfIUpUFOrv4o
X-Gm-Gg: AeBDievRd5mHsSu3L4C2AKXKkRfOtAjfkwNT5CaPlTsJ4YQ6h/7SIZ6B3l0AphZ7Y3E sTDTkd7BYBDmEBDsK7q7ZuVNXOeobCJUpd5twiY+aOVMoX9p/R+wAYq2+cbAoO1WFgI7wXOJk0R kD2+ctnCBUbRmaS+F4twIbkaoIQScmy9g/a16y55zUqTuLNjNL51cLNn4PYazNrJ1flbRxj/jjo g4NoK+eVGHNJAaTABjn0XJ9tdAtxMZST5dnfgMVmo9E2MVKBJaj9yO/qsgndapip9bphbMz9Pji bzCnLSQ=
X-Received: by 2002:a17:907:6e90:b0:b9c:69df:4d9d with SMTP id a640c23a62f3a-b9c69df5f34mr728603266b.38.1775543828031; Mon, 06 Apr 2026 23:37:08 -0700 (PDT)
MIME-Version: 1.0
References: <177545882013.732959.3232970951768018722@dt-datatracker-9dc8fdd9f-qcdj9>
In-Reply-To: <177545882013.732959.3232970951768018722@dt-datatracker-9dc8fdd9f-qcdj9>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 07 Apr 2026 12:06:31 +0530
X-Gm-Features: AQROBzBLdVMAY19Xhb754uVKvHa6rsYiKZ6tzBMBgM3n_UVAtoVf8erlvxGfcaA
Message-ID: <CAFpG3gdT0hy8pYhXFFUMBQMUL1G46JT2jr2cJtJNpRhHZNOBvQ@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000272c8c064ed903c6"
Message-ID-Hash: NG2FCXW4Y2ADDRPGNIUDBLHFXEVFHNJR
X-Message-ID-Hash: NG2FCXW4Y2ADDRPGNIUDBLHFXEVFHNJR
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: I-D Action: draft-ietf-tls-extended-key-update-12.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Zx2U3d7WFZJWzG90TtlrUuBKIg8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

The revised draft https://datatracker.ietf.org/doc/draft-ietf-tls-extended-
key-update/ addresses the comments discussed during the WG meeting at
IETF-125 and the pending issues in Github.

-Tiru

On Mon, 6 Apr 2026 at 12:30, <internet-drafts@ietf.org> wrote:

> Internet-Draft draft-ietf-tls-extended-key-update-12.txt is now available.
> It
> is a work item of the Transport Layer Security (TLS) WG of the IETF.
>
>    Title:   Extended Key Update for Transport Layer Security (TLS) 1.3
>    Authors: Hannes Tschofenig
>             Michael Tüxen
>             Tirumaleswar Reddy
>             Steffen Fries
>             Yaroslav Rosomakho
>    Name:    draft-ietf-tls-extended-key-update-12.txt
>    Pages:   42
>    Dates:   2026-04-05
>
> Abstract:
>
>    TLS 1.3 ensures forward secrecy by performing an ephemeral Diffie-
>    Hellman key exchange during the initial handshake, protecting past
>    communications even if a party's long-term keys (typically a private
>    key with a corresponding certificate) are later compromised.  While
>    the built-in KeyUpdate mechanism allows application traffic keys to
>    be refreshed during a session, it does not incorporate fresh entropy
>    from a new key exchange and therefore does not provide post-
>    compromise security.  This limitation can pose a security risk in
>    long-lived sessions, such as those found in industrial IoT or
>    telecommunications environments.
>
>    To address this, this specification defines an extended key update
>    mechanism that performs a fresh Diffie-Hellman exchange within an
>    active session, thereby ensuring post-compromise security.  By
>    forcing attackers to exfiltrate new key material repeatedly, this
>    approach mitigates the risks associated with static key compromise.
>    Regular renewal of session keys helps contain the impact of such
>    compromises.  The extension is applicable to both TLS 1.3 and DTLS
>    1.3.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-tls-extended-key-update/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-tls-extended-key-update-12.html
>
> A diff from the previous version is available at:
>
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-extended-key-update-12
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.40.4 | Report a Bug | By Email | System Status