On Fri, Dec 07, 2018 at 06:31:21AM +0000, Peter Gutmann wrote: > Aren't you going to get into an adversarial machine learning problem where > your recogniser has to be smarter than the other side's DH-reuse code? In > other words if the server just reuses the same DHE public value again and > again you can detect it, but if they generate slightly different values from a > fixed seed or start point you're not going to be able to detect it unless you > know what they're doing.
If it's different then that's costing the server the resources to generate it, which is precisely what its operator didn't want when they enabled eDH key reuse. Indeed, the client cannot detect the use of a fixed seed and counter shared with an escrow agent. > Not to mention a NOBUS DHE public value if they really want to be crafty. In > other words if someone wants to middlebox TLS, they're going to do it no > matter how much people may dislike it. No argument there. There's nothing wrong with server-side key escrow if that's what the server operator wants. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
