> On 20 Jul 2017, at 8:01, Russ Housley <hous...@vigilsec.com> wrote: > > Ted, if we use a new extension, then the server cannot include it unless the > client offered it first. I am thinking of an approach where the server would > include information needed by the decryptor in the response. So, if the > client did not offer the extension, it would be a TLS protocol violation for > the server to include it. >
So we also add an alert called “key-export-needed” in case the client does not include it. That way a browser (as an example) can show the user why the connection was broken (“server requires wiretapping to be enabled. Go to about:config <about:config> if that is OK and change the allow-wiretap setting to True”)
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls