On Fri 2017-07-07 16:04:20 -0400, Russ Housley wrote: > In some industries, there are regulatory requirements that cannot be > met without access to the plaintext.
This is surely true, but it's not clear to me that any regulator requires access to the plaintext *from direct network capture*. Could you point to an example of any regulation that requires plaintext from network capture specifically? There are many non-network-based ways that plaintext can be produced as required by the regulated endpoints, without introducing a standardized mechanism that increases the attack surface of widespread implementations on the public Internet. Why should we privilege network capture (e.g. retrospectively decryptable pcap dumps) as a means of meeting regulatory requirements when: (a) other means of meeting regulatory requirements exist, and (b) we know that network capture is widely used adversarially by the kinds of attackers that TLS is explicitly intended to defend against? --dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls