However, even with the addition of -04, the way we distribute software -- as binaries -- even to developers dictates that many will (and do) see these features in user-facing production software. To prevent misuse against unsuspecting targets (in lawful interception, abusive relationships, etc.), the security considerations should *strongly* suggest that active debugging be made visible to the user.
It is one thing if you enable this feature in production for clients, as only their connections will be exposed. Adding a sentence similar to the one you suggest [1] is fine with me. It is another thing to enable it in production for servers, and that should not happen. [1] https://mailarchive.ietf.org/arch/msg/tls/nnqmXWtuBUD7W5NOkB57BYk723c/
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
