On Sat, Jul 8, 2017 at 11:17 AM Russ Housley <[email protected]> wrote:
> I want to highlight that draft-green-tls-static-dh-in-tls13-01 does not > enable MitM. The server does not share the signing private key, so no > other party can perform a valid handshake. > This method allows a middlebox to recover the plaintext of a TLS session. While I took issue with Stephen's attempts to shut down conversations this line of inquiry, I have a much, much stronger objection to downplay the fact that this is still a self-inflicted MitM attack. Let me be very clear: full plaintext recovery by a passive middlebox absolutely is "MitM". Just because it does not allow full impersonation of the server does not make it MitM. It is MitM, and we should be very clear it is MitM. Further, the server is choosing to use a (EC)DH key that was generated by > the key manager, so it is quite different than the mandatory key escrow used > in the Clipper Chip. > It enables the same ends: recovery of session plaintexts, and as I stated on other threads I would personally prefer a more explicit key escrow mechanism implemented as a TLS extension, which to some degree would actually look a bit more like LEAP. > -- Tony Arcieri
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
