On Fri, May 24, 2024 at 4:15 PM Brendan McMillion < [email protected]> wrote:
> The part of the spec you quoted says: if multiple certs match, choose any. > When TE is rendered in actual code, why do you assume that there will be no > configurable or easily-gameable way to make sure the government CA > always wins? > I'm not assuming there will be no configurable or easily-gameable way to do this - I don't know what exactly that will look like in implementations. I'm asserting that TE alone as currently specified is insufficient for this attack, because TE says "choose any" and the attack needs to choose a specific one.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
