Hi all, > Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > Richard Barnes <r...@ipv.sx> writes: > >> 3 seems like it encodes the expectation of most people for what the protocol >> means. If you're using a cipher suite labeled something like "ECDHE", it's >> reasonable to expect that it's actually ephemeral, > > I'd support 3 as well for the same reason, it says (EC)DH-Ephemeral, not > (EC)DH-Possibly-Ephemeral-But-We-Cant-Guarantee-Anything-Who-Knows-What-You- > Might-Get-Are-You-Feeling-Lucky.
I also agree with this point. If we include a MUST be ephemeral in RFC8446bis, then we send the clear signal that this is the way to do things. It is also the version of TLS 1.3 that was analyzed by the provable security people (though I don’t expect that it makes a difference other than make the proofs more complicated). If we put this change in -bis, then the applications that don’t use true ephemeral keys will still be compliant with (though then superseded) RFC8446-not-bis, right? So even if we had a Protocol Police then those committing this particular Protocol Crime have some defense. ;-) Cheers, Thom Wiggers _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
