> On 15 Jul 2017, at 9:12, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > > On Sat 2017-07-15 05:58:31 +0000, Salz, Rich wrote: >> Unless I missed the reply, I did not see any answer to my question as >> to why it must be opt-in. Do we think evildoers will tell the truth >> about what they are doing? > > Because presumably the people who do *not* want to do evil want to avoid > specifying a mechanism that will be widely implemented that could leak > into use outside of the intended scenario. right? > > As far as i can tell, we're all in agreement here that: > > * This proposed TLS variant is *never* acceptable for use on the public > Internet. At most it's acceptable only between two endpoints within > a datacenter under a single zone of administrative control.
This TLS variant is only about using the same key share for a while. This is already done for optimization (as in “use the same key share for 1 minute before generating a new one”) although I guess for decryption a key would be used for longer than a minute. The one difference between reusing a key share for optimization and reusing a key share for decryption is whether or not the server dumps this key share to disk. That is not a difference in TLS. In fact these two are indistinguishable. And that brings us back to Rich’s question: Do we expect evildoers to signal that they’re doing this?
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
