I find the current situation of key shares being reused without the other peer knowing inacceptable and frankly the worst possible option.
I am curious why this is worse than, say, knowing that the server reports SSLKEYLOGFILE into a public S3 bucket or similar? And do you think a real adversary would self-report that they are using ephemeral keys?
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
