On Thu, Dec 6, 2018 at 3:30 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > On Dec 6, 2018, at 4:08 PM, Andrei Popov <Andrei.Popov= > 40microsoft....@dmarc.ietf.org> wrote: > > > > Widespread deployment of draft-dkg-tls-reject-static-dh-01 and failing > connections to "enterprise TLS" servers would probably qualify as > "essential circumstances", at least to some operators. > > I don't think the TLS WG or IETF can win this skirmish. > I think there are very strong technical/security reasons to reject using a static D-H key in place of an ephemeral D-H key, namely compromise of this key permits "impersonation" of any previously (passively) observed TLS sessions by allowing a passive observer holding one of these keys to recover the resumption master secret. In as much as people are attempting to build standards around this approach, based on the conversation earlier in this thread it seems they were unaware of this security property. I hope this causes the creators of "eTLS" to reconsider the security implications of their proposal. I think a protocol which aims to fulfill the specific goals of "eTLS" should focus on providing a way for a passive observer to recover the *traffic* secrets, which would provide the ability to passively decrypt traffic (something I think is a bad idea, but I digress), but *NOT* resume observed sessions. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
