Dear all, Disclaimer: I am not a proponent of the idea behind draft visibility/green/rhrd; I think such a mechanism should not be part of the TLS 1.3 standard. I have a technical problem with the current design, whose goal is to allow eavesdropping for inspection, i.e., selectively decreasing confidentiality. However, the design in the draft also enables arbitrary traffic modification/insertion, additionally breaking all authentication and integrity guarantees. Once someone has the session keys, they can not only eavesdrop but can also start to insert/modify traffic. This additional decrease in security is entirely unmotivated by the cited use cases. It is possible to offer authentication and integrity, while selectively giving up confidentiality. For example, one could replace the AEAD by (i) a mechanism for authentication and (ii) a separate mechanism for confidentiality, and then possibly reveal the keys used for (ii), but make sure only the real endpoint has the keys for (i). That seems more rational to me, and may retain the authentication/integrity guarantees. However, it would require a much more invasive change. Best, Cas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
