Mandating forward secrecy for TLS 1.3+ has been a strong consensus of this 
working group, so there's no point in myself or any other contributors just 
mass-replying with a big "no" here. That said, there is one puzzling thing I'm 
curious about:

On Thursday, September 22, 2016 01:19:48 pm BITS Security wrote:
> The impact on supervision will be particularly severe.  Financial 
> institutions are required by law to store communications of certain employees 
> (including broker/dealers) in a form that ensures that they can be retrieved 
> and read in case an investigation into improper behavior is initiated.  The 
> regulations which require retention of supervised employee communications 
> initially focused on physical and electronic mail, but now extend to many 
> other forms of communication including instant message, social media, and 
> collaboration applications.  All of these communications channels are 
> protected using TLS.

Yes, all of these other channels are protected using TLS... which you do not 
control in any way. Also, many sites/services already prioritize FS cipher 
suites, so the deprecation of plain RSA key exchange doesn't actually affect 
the vast majority of people. (e.g. Facebook & Twitter both prefer ECDHE with 
NIST P-256) Within this very argument is already the argument that supervision 
at endpoints is required here. The security on the pipe is irrelevant. I don't 
see how you can make a point to bring this up but think keeping plain RSA KE 
suites is a useful solution.


TLS mailing list

Reply via email to