On Fri, Jul 7, 2017 at 6:02 AM, Richard Barnes <r...@ipv.sx> wrote: > You could avoid changing how the DH works altogether by simply exporting > the DH private key, encrypted with a key shared with the monitoring device, > in a server extension. (Not in EncryptedExtensions, obviously.) This > would also have the benefit of explicitly signaling when such monitoring is > in use. The only real challenge here is that the client would have to > offer the extension in order for the server to be able to send it, which I > expect things like browsers would be unlikely to do. However, given that > the target of this draft seems to be intra-data-center TLS, perhaps this is > a workable requirement? >
I very much like the property that by using an extension, the client must consent to being MitMed. But in this case, why not just keywrap the session master secret with a preshared KEK as opposed to exfiltrating the DH private key? -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
