On Mon, Jan 02, 2017 at 06:58:36PM +0200, Yoav Nir wrote: > > Still, if we want to accommodate the banking industry (or whatever > part of it we’ve talked to in Seoul), then they need to be able to > tell based on a timestamp which private key was used for that handshake. > With 60 seconds key changes are rare enough that there are at most two > possibilities which I think is manageable. With 10 seconds clock skew > can ruin your system. But I realize I’m bike shedding here.
- If this is actually banking, they AFAIK do have accurate enough clocks (sub-second). - One can do seeded generation from ServerRandom. Adds load from use- once key generation, but avoids all time-skew problems. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
