On Fri 2017-07-07 16:04:20 -0400, Russ Housley wrote: > In some industries, there are regulatory requirements that cannot be > met without access to the plaintext.
This is surely true, but it's not clear to me that any regulator
requires access to the plaintext *from direct network capture*.
Could you point to an example of any regulation that requires plaintext
from network capture specifically?
There are many non-network-based ways that plaintext can be produced as
required by the regulated endpoints, without introducing a standardized
mechanism that increases the attack surface of widespread
implementations on the public Internet.
Why should we privilege network capture (e.g. retrospectively
decryptable pcap dumps) as a means of meeting regulatory requirements
when:
(a) other means of meeting regulatory requirements exist, and
(b) we know that network capture is widely used adversarially by the
kinds of attackers that TLS is explicitly intended to defend
against?
--dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
