On 17/10/17 19:34, Ion Larranaga Azcue wrote: > If the extension is not sent, the client does not realize there is a > third party, but the third party does not have the session keys > either, and the server has to provide them in a different way (for > instance, using an OOB lookup as Florian suggested). In any case, > it's not the same scenario as the draft proposes (the keys are shared > in a different way) and can happen with or without this draft being > accepted. I agree.
My point is that if this draft were accepted, then the infrastructure for the above scenario would all be in place (the DH value for the snooper and the code to expose session information to that snooper) and the above scenario would be more likely to happen, more often. IOW, by standardising draft-rehired, we'd *also* be putting in place standard building blocks for an OOB, client is never told mechanism. S.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
