Tony: I want to highlight that draft-green-tls-static-dh-in-tls13-01 does not enable MitM. The server does not share the signing private key, so no other party can perform a valid handshake. Further, the server is choosing to use a (EC)DH key that was generated by the key manager, so it is quite different than the mandatory key escrow used in the Clipper Chip.
Russ > On Jul 8, 2017, at 11:39 AM, Tony Arcieri <basc...@gmail.com> wrote: > > I was one of the people arguing my hardest against the BITS Security proposal > to continue to (ab)use RSA static keys to allow passive MitM, even though TLS > 1.3 had already moved forward on what I would call a more modern protocol > design of the sort I believe payments companies should embrace to improve > their security. > > That said, if people do want to MitM themselves, I would rather there be a > single, easily detectable and very explicit way of doing so, as opposed to > sketchy, incompatible, ad hoc mechanisms. Furthermore, it would be nice to > have a clear answer for these users, less they continue to make (bad) > arguments that there is something fundamentally wrong with the design of TLS > 1.3 that makes it incompatible with "industry requirements". > > Clearly there are echoes of the scary protocols of yesteryear, i.e. > Clipper/LEAP. I think if you visit Matt Green's Twitter page and check the > image header you will discover he is quite familiar with these things, and my > personal presumption would be he is not displaying this image to show his > undying love of the Clipper chip, although perhaps he's an especially crafty > and duplicitous NSA sleeper agent.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls