On Jul 11, 2017, at 3:40 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > It'd seem possible for a server to hold a rather long > list of re-used static DH values and unlikely for normal > clients to detect those.
Bearing in mind that the current proposal is intended to perpetuate a well-established use model so as to avoid having to re-tool, I don’t think this is a real concern. In practice I expect that the number of keys used in such a system will be small because the operational burden of making it large will be enough to motivate re-tooling. So in practice I would expect a client to be able to cache enough keys to notice this attack, if the user were motivated, or the client vendor considered this to be a credible threat worth addressing. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
