On Mon, Oct 23, 2017 at 3:30 PM, Benjamin Kaduk <bka...@akamai.com> wrote: > There are no doubt folks here would claim that the writing has been on the > wall for > five years or more that static RSA was out and forward secrecy was on > the way in, and that now is the right time to draw the line and drop the > backwards compatibility. In fact, there is already presumed WG > consensus for that position, so a strong argument indeed would be needed > to shift the boundary from now. I won't say that no such argument can > exist, but I don't think we've seen it yet.
I don't have too strong an interest in this thread, it's not going anywhere, and I don't mind that. But I do want to chime in and point out that forward secrecy is not completely on the way in. With STEK based 0-RTT, it sounds like many implementors are happy to see user's requests, cookies, passwords and other secret tokens protected only by symmetric keys that are widely shared across many machines and geographic boundaries, with no defined key schedule, usage requirements or forward secrecy. Clearly, the consensus has been willing to accept that trade-off, and there is definite wiggle room. -- Colm _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
