What the draft actually says is that you can install a fixed key on the server rather than generating new keys every time, and then that fixed key can also be installed on monitoring software. This is, I believe, the actual intended use of the proposal.
It’s also true that you can just exfiltrate every key as it’s generated, but that’s not what’s being proposed and would not, I think, suit the needs of the operators who are making this proposal. I don’t see how you could mitigate against deliberate key exfiltration. At some point you really are relying on the security of the endpoint. But being able to detect repeated keys is useful for preventing pervasive monitoring: it requires the monitored either to have access to the key generation stream in realtime, or to request the key for a particular conversation. So I think there is some value in defending against this attack. I look forward to seeing a defense that uses perfect forward secrecy and protects against key exfiltration. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
