Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding comment which caveats OPRF seed usage #455

Merged
merged 1 commit into from
May 21, 2024
Merged

Adding comment which caveats OPRF seed usage #455

merged 1 commit into from
May 21, 2024

Conversation

kevinlewi
Copy link
Collaborator

We are adding a caveat to the original text,

"The oprf_seed value SHOULD be used for all clients; see {{preventing-client-enumeration}}."

The reason being that the leakage of this global value would compromise security for all users that depend on this value, and one could arguably improve security of the protocol against this kind of compromise by sampling independent OPRF keys. However, we still keep the recommendation to use the global seed value in this way in favor of protecting against client enumeration attacks.

But, applications that don't care about preventing client enumeration can feel free to use independently-sampled OPRF keys.

@kevinlewi kevinlewi requested review from chris-wood and bytemare May 21, 2024 04:45
@kevinlewi kevinlewi force-pushed the oprf_seed_clarification branch from e7abe39 to d2738f0 Compare May 21, 2024 04:53
@kevinlewi kevinlewi merged commit ff9c892 into cfrg:master May 21, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chris-wood chris-wood chris-wood approved these changes

@bytemare bytemare Awaiting requested review from bytemare

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kevinlewi @chris-wood