On 11/07/17 20:48, Ted Lemon wrote: > On Jul 11, 2017, at 3:40 PM, Stephen Farrell > <stephen.farr...@cs.tcd.ie> wrote: >> It'd seem possible for a server to hold a rather long list of >> re-used static DH values and unlikely for normal clients to detect >> those. > > Bearing in mind that the current proposal is intended to perpetuate a > well-established use model so as to avoid having to re-tool, I don’t > think this is a real concern. In practice I expect that the number of > keys used in such a system will be small because the operational > burden of making it large will be enough to motivate re-tooling. > > So in practice I would expect a client to be able to cache enough > keys to notice this attack, if the user were motivated, or the client > vendor considered this to be a credible threat worth addressing.
I can't see that happening. Once the first example.com is called out for using this, others will make their list longer or take other approaches, e.g. use one exfiltrated private value as a seed for others via some proprietary mechanism. Actually, that calls out another reason to not standardise or further develop this - any such standard is either undetectable or leads to deployments deviating from the standard to become less detectable - both undesirable outcomes. That latter case also destroys the "but we should scrutinise it" argument IMO as the "it" will change to be undetectable and not the "it" that was ostensibly scrutinised. S. >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
