How about requiring a record of a fixed size that either contains the session key encrypted with a “leaking key” or the output of a stream cipher keyed with the session key. A 3rd party observer would not be able to determine whether the session key is being leaked but the client can tell and act accordingly.
--Felix From: TLS <tls-boun...@ietf.org> on behalf of Ted Lemon <mel...@fugue.com> Date: Sunday, July 23, 2017 at 16:34 To: "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> Cc: "<tls@ietf.org>" <tls@ietf.org> Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol I did a little bit of rubber-duck debugging on this proposal with Andrea on the way back from Boston this morning. It's actually better for the server to secretly use a static key than to negotiate. Stephen has already explained why: if this is a negotiation, then it's possible for a third party to simply block any negotiation that doesn't allow it. We have no control over evil endpoints, and it's silly to pretend otherwise. Pretending otherwise makes us less secure, not more secure.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls