On Thu, Aug 18, 2016 at 12:20 PM, Keith Winstein <[email protected]> wrote:
> Yes, you need current_receive_generation, or something like it, to get > P3. This is the subject of our PR #426/580. > The KeyUpdate messages are encrypted and thus sequenced with all the application data. Apart from the Heartbeat message (TLS 6520), which has not been significantly used in TLS (I think), we've never worried about a TLS-level ack before. PR 426 wants a way to retrospectively disclose keys to middleware and wants to make sure that the receive side is no longer going to trust those keys before doing so. Having spoken to several vendors of these products in the past and tried to persuade them to accept read-only access I don't think we should alter TLS's design for that unless there's a novel argument about why they would ever accept it. (Because they won't. Their competitive interest is to have as many "features" as possible, many of which would require modifying traffic.) Cheers AGL
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
