> On Dec 6, 2018, at 4:08 PM, Andrei Popov
> <Andrei.Popov=40microsoft....@dmarc.ietf.org> wrote:
>
> Widespread deployment of draft-dkg-tls-reject-static-dh-01 and failing
> connections to "enterprise TLS" servers would probably qualify as "essential
> circumstances", at least to some operators.
I don't think the TLS WG or IETF can win this skirmish. If some
operators are set on session recording, they'll find a way, and
the more obstacles they have to overcome the more likely they are
to compromise security along the way.
So while clients should not do anything special to support this,
and the protocol should not change to adapt to the use-case, it
might in fact be more productive to help the operators who need
this arrive at an approach that minimizes risk. Explicitly
trying to defeat what they're sure to do anyway does look like
a wise approach to me.
The operators could, for example, derive the (EC)DH private key
from an HMAC of the client and server random with a secret
key shared with the wiretap device. The client would never
know, and the (EC)DH key would not look any different to an
outside observer.
The best we can probably do is publicize the risks, so that
auditors are well aware of them and can highlight poor designs,
and hope that some operators will decide they can do without
such intercepts, or will use an approach that preserves as
much security as possible.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
