On 17 Jul 2017, at 18:35, Benjamin Kaduk wrote:
it could easily be enabled accidentally on the Internet, or coercively
required
of certain entities, e.g., by national security letter, once
enablement
is just a configuration setting (as opposed to writing code)
Yes, concur.
So, in order to have something that is verifiably opt-in by both
parties, it seems like it would have to be a ClientHello/ServerHello
extension (included in the transcript for the generated traffic keys)
where both sides commit that they are willing to exfiltrate keys to a
given named entity(ies) (whether that's by raw public key, certificate
name, etc., is quite flexible).
I agree that the extension approach is something which is worthy of
exploration.
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
