Open LPardue opened 2 years ago
Good point, thanks. I think the answer is "principle of least trust" from RFC 4949, which in this instance tells us we should not deliberately leak keys to clients that don't need them, as that would increase the key exposure footprint unnecessarily.
Section 10.2 says:
That sounds sensible but my question is, why shouldn't they? If they ignore the recommendation, what can go wrong?