On Thu, Jul 20, 2017 at 08:15:03PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > Maybe we are better off just retrofitting RSA-key-transport back > into TLS-1.3? In that case at least the peer could refuse this > method of key establishment, and one could safely assume that if a > peer insists on that key establishment mechanism, this session will > be surveilled? > > If I had to choose between the two evils, RSA-key-transport seems a > lesser one (or at least a more obvious/visible one).
This has in fact been requested. Kenny Paterson said about the request: ----------------------------------------------------------------------- My view concerning your request: no. Rationale: We're trying to build a more secure internet. ----------------------------------------------------------------------- Furthermore, AFAICT, adding RSA key transport would cause major problems with the way TLS 1.3 does its handshake: It assumes that whatever the key exchange is, it is two-message client-goes-first, where static RSA key exchange is two-message server-goes-first (three messages as client-goes-first). There is straightforward way to make a valid key exchange out of RSA. However, the result is very slow for client, and is in fact forward-secure. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls