Am 19.07.2017 um 15:51 schrieb Kyle Rose:
On Wed, Jul 19, 2017 at 3:43 PM, Ted Lemon <mel...@fugue.com
<mailto:mel...@fugue.com>> wrote:
This is exactly right. We have a /real/ problem here. We
should /really/ solve it. We should do the math. :)
Is there appetite to do this work? If we restrict this to two paths,
one of which is spending years designing and implementing a new
multi-party security protocol, the other of which is silently and
undetectably (at least on private networks) modifying the standardized
protocol for which lots of well-tested code already exists... my money
is on the latter happening.
There is a good chance that this "cheaper" solution is what will happen.
However the multi-party protocol may be a safer and better approach and
may even forced in by some regulators when it exists as an implemented
alternative.
In every decision we make with respect to the static DH approach, we
have to keep in mind that this change can be implemented unilaterally,
i.e., without any modifications for interop. Consequently, I think the
work we really need to do is to design and implement a FS-breakage
detector so we can at least tell when this is happening on the public
internet. Beyond that, the best we can really do is ask implementors
to be polite and intentionally make their implementations not
interoperate silently with TLS 1.3.
Kyle
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls