RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - use to

["Kemp, David P." <DPKemp@missi.ncsc.mil>]

-----Original Message-----
From: Martin Rex [mailto:martin.rex@sap.com] 
>>
>> In security, perfect has always been the enemy of the good.
>
> Perfect forward secrecy is an enemy of TLS Evidence, and
> I prefer the former by a significant margin. (I mean Perfect Forward
> Secrecy as a design goal of the entire system, not only as
> an isolated characteristic in the threat model for a particular
> network link).

You keep saying that, but please explain why data retained by
"network trace" components that log all levels of the protocol
stack is not an enemy of perfect forward secrecy.  If data is
retained, it is retained, regardless of whether a signature
exists to authenticate that data.

--------------
6.2. Storage Considerations

   Parties that choose to preserve a plaintext record of Application
   Data or Handshake Protocol messages for evidence verification at a
   later time must ensure must ensure that this data is not
   inappropriately disclosed by employing suitable physical protection
   or cryptographic mechanisms that are at least as strong as the
   selected TLS ciphersuite.

---------------

That's true enough, but isn't it just as true that parties that
choose to preserve plaintext records of *normal TLS sessions*
must apply the same level of protection?  When evaluating
secrecy as a design goal of the entire system, the same operating
policies (what data is stored where and for how long) must be
applied to signed evidence and to unsigned evidence, otherwise
a comparison between TLS extension and unextended TLS is
meaningless.

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls