On Fri, Jul 7, 2017 at 6:10 PM, Christian Huitema <huit...@huitema.net> wrote: > > > On 7/7/2017 2:54 PM, Russ Housley wrote: >> Stephen: >> ... >>> And also: I'm sorry to have to say it, but I consider that >>> attempted weasel wording around the clear intent of 2804. The >>> clear and real effect if your wiretapping proposal were standardised >>> by the IETF would be that we'd be standardising ways in which >>> TLS servers can be compelled into breaking TLS - it'd be a standard >>> wiretapping API that'd be insisted upon in many places and would >>> mean significantly degrading TLS (only *the* most important >>> security protocol we maintain) and the community's perception >>> of the IETF. It's all a shockingly bad idea. >> I clearly disagree. Otherwise, I would not have put any work into the draft. > Russ, > > What are the specific mechanisms that would allow this technique to be > used where you > intend it, i.e. within a data center, and not where Stephen fears it > would be, i.e., on > the broad Internet? For example, what mechanism could a client use to > guarantee > that this sort of "static DH" intercept could NOT be used against them?
The server can send the plaintext to whomever it likes. This is the solution enterprises can use today. Nothing can stop that from happening. So I don't see why static DH is a) so essentially necessary and b) so controversial. >From a technical point I prefer using DH shares derived from ServerRandom as this avoids certain bugs I've been known to exploit from time to time. > > -- > Christian Huitema > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
