> On Sep 26, 2016, at 7:21 PM, Eric Rescorla <e...@rtfm.com> wrote:
>
> There are other ways to accomplish this. For example, the server might
> use session ticket keys that are stored centrally encrypted under a
> suitable escrow key. If clients always enable session tickets, then
> every handshake will result in the server returning a session ticket,
> in which case the session can be later decrypted if the session ticket
> keys are available.
>
> This actually doesn't work in TLS 1.3 because the resumption master secret
> is not sufficient to decrypt the connection in which it was established.
Yes, I know that changed. It was an example of something that works with
TLS 1.2 even when PFS is used. With TLS 1.3 server or client implementations
can find other ways to retain long-term records of session keys. The capability
to do that is not a requisite or desirable protocol feature. Different user
communities will have different needs, and the best solution is to provide
security by default, and cede control of the result to the endpoints.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
