Mandating forward secrecy for TLS 1.3+ has been a strong consensus of this working group, so there's no point in myself or any other contributors just mass-replying with a big "no" here. That said, there is one puzzling thing I'm curious about:
On Thursday, September 22, 2016 01:19:48 pm BITS Security wrote: > The impact on supervision will be particularly severe. Financial > institutions are required by law to store communications of certain employees > (including broker/dealers) in a form that ensures that they can be retrieved > and read in case an investigation into improper behavior is initiated. The > regulations which require retention of supervised employee communications > initially focused on physical and electronic mail, but now extend to many > other forms of communication including instant message, social media, and > collaboration applications. All of these communications channels are > protected using TLS. Yes, all of these other channels are protected using TLS... which you do not control in any way. Also, many sites/services already prioritize FS cipher suites, so the deprecation of plain RSA key exchange doesn't actually affect the vast majority of people. (e.g. Facebook & Twitter both prefer ECDHE with NIST P-256) Within this very argument is already the argument that supervision at endpoints is required here. The security on the pipe is irrelevant. I don't see how you can make a point to bring this up but think keeping plain RSA KE suites is a useful solution. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
