On Fri, May 24, 2024 at 4:15 PM Brendan McMillion < brendanmcmill...@gmail.com> wrote:
> The part of the spec you quoted says: if multiple certs match, choose any. > When TE is rendered in actual code, why do you assume that there will be no > configurable or easily-gameable way to make sure the government CA > always wins? > I'm not assuming there will be no configurable or easily-gameable way to do this - I don't know what exactly that will look like in implementations. I'm asserting that TE alone as currently specified is insufficient for this attack, because TE says "choose any" and the attack needs to choose a specific one.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
