Re: [TLS] ETSI releases standards for enterprise security and data centre management

On Sat 2018-12-01 10:02:44 -0800, Christian Huitema wrote: > Which is indeed a huge problem. Security conscious implementations of > TLS should detect the use of such "enhancements", and either abort the > session or automatically treat it as insecure. This certainly looks like a case of forum-sho

[TLS] Thoughts on draft-rescorla-tls13-semistatic-dh-00

Dear all, I read the draft and have a few comments. First off it seems like OPTLS used an HKDF extracted key to feed into the content keys, instead of reusing the shared secret. I'm pretty sure that will end up not mattering, but I'm by no means an expert in how much some change like that will aff

Re: [TLS] ETSI releases standards for enterprise security and data centre management

On Tue, Dec 04, 2018 at 05:39:30PM +0100, Jonathan Hoyland wrote: > Isn't there a lower bar at the IETF for defining new cipher suites, as long > as you're not seeking a "recommended" setting? Yes, but then you have to get interoperability using them, which means patching clients and servers. You

Re: [TLS] ETSI releases standards for enterprise security and data centre management

Isn't there a lower bar at the IETF for defining new cipher suites, as long as you're not seeking a "recommended" setting? I think escrowing lower down keys / not MACing the messages beyond the handshake means that you lose authenticity and integrity of the message data, which is unattractive. How

Re: [TLS] ETSI releases standards for enterprise security and data centre management

On Sun, Dec 2, 2018 at 3:36 PM Nico Williams wrote: > > I'm not a fan of systems like this, but I believe for security reasons > they > > should be designed in such a way that only the confidentiality of traffic > > is impacted, and a "visibility" system isn't able to leverage the > decrypted >

Re: [TLS] ETSI releases standards for enterprise security and data centre management

On Tue, Dec 04, 2018 at 04:34:08PM +0100, Jonathan Hoyland wrote: > Is it necessarily true that any key escrow system must allow resumptions? > > Just to play devil's advocate, consider defining a new cipher suite that > appended a MAC to each message before applying one of the other cipher > suit

Re: [TLS] ETSI releases standards for enterprise security and data centre management

* Just to play devil's advocate, consider defining a new cipher suite that appended a MAC to each message before applying one of the other cipher suites. But that would defeat their purpose, which is on-the-wire compatibility with real TLS. ___ TL

Re: [TLS] ETSI releases standards for enterprise security and data centre management

Is it necessarily true that any key escrow system must allow resumptions? Just to play devil's advocate, consider defining a new cipher suite that appended a MAC to each message before applying one of the other cipher suites. If the MAC is keyed with a key not derived from the master secret, but f