> On May 3, 2017, at 2:33 PM, Timothy Jackson <tjack...@mobileiron.com> wrote:
>
> We could even go so far as to add a “SHOULD NOT” around using STEKs that are
> long-lived?
No specific objection there, motherhood and apple pie... so long as we don't go
too
far and say "SHOULD NOT" to STEKs broadly. They are a sensible way to handle
session
caching, in combination a sensibly implemented key rotation approach. One also
SHOULD
NOT store long-term copies of sessions, deploy world-readable private keys, ...
So, if folks feel that it is necessary to give such advice, that's fine.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
