That would require the client to be compromised though right? My understanding is that the client is making the decision whether to retransmit with the new key.
Now it's fair to question whether you can trust the client, but if you can't then there's no limit to what they could do.
Now it's fair to question whether you can trust the client, but if you can't then there's no limit to what they could do.