On Mon, Jan 2, 2017 at 11:43 AM, Yoav Nir <ynir.i...@gmail.com> wrote:
> I’m assuming that the server generates private keys and saves them to a > file along with the time period that they were used, and another machine in > a different part of the network records traffic. It’s not so much that the > clocks need to be accurate, as that they need to be synchronized, and there > will still be some misalignment because of (variable) latency. > > I guess we are making guesses about systems that haven’t been written yet. > Logging the actual session keys is a feature that some Enterprise appliances have today, and that would continue to work in all scenarios (sadly). It's not that much data to log (far less than a request log for example). In that case it's often left unindexed and simple tools like grep are used for ad-hoc decryption requests,which are typically rare enough not to merit anything better. For simplicities sake, I'd prefer single-use ECDHE, rather than time-delimited. Mostly because it's simpler to implement. The current generation of IOT and other small embedded systems are already at the point where they can do this kind of thing. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
