On 20/02/2025 12:36, Alicja Kario wrote:
sorry, but the threat model you're talking about is not realistic
I disagree. While it may not be feasible to notify a user, the threat of widely deployed software that supports key exfiltration being abused is real, and made worse by us standardising on this way of documenting what is to be exfiltrated. If we were solely concerned with security the bytes sent, then this document wouldn't exist (here). Cheers, S.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
