> On 10 Jul 2017, at 17:16, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > >> 2. this proposal offers >> significantly better security properties than current practice >> (central distribution of static RSA keys) > > I fail to see any relevant difference in security properties > between those two, never mind a significant improvement.
I can see one way in which it is worse. With static RSA keys, you can configure the server to use only PFS ciphesuites (ECDHE-RSA or DHE-RSA). If you want to enable the non-FS, you need to switch to RSA ciphersuites, and that would be obvious to any client. In fact, I think today a server would stick out if it only supported RSA ciphersuites. There is no way to know that a server is doing what it says in the draft. It’s completely opaque to the client. However, in both cases the server does get FS. As long as the server has not enabled RSA ciphersuites or exportable private key shares, any recorded TLS stream is safe even if the attacker later gets the private key. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls