Merge pull request #7 from tlswg/fs-break

Riffing on Dennis' idea

draft-ietf-tls-keylogfile.md

@@ -247,6 +247,12 @@ consumption by other programs.  In both cases, applications might require
 special authorization or they might rely on system-level access control to limit
 access to these capabilities.
 
+Forward secrecy guarantees provided in TLS 1.3 (see {{Section 1.2 and Appendix
+E.1 of ?RFC8446}}) and some modes of TLS 1.2 (such as those in {{Sections 2.2
+and 2.4 of ?RFC4492}}) do not hold if key material is recorded.  Access to key
+material allows an attacker to decrypt data exchanged in any previously logged TLS
+connections.
+
 Logging the TLS 1.2 "master" secret provides the recipient of that secret far
 greater access to an active connection than TLS 1.3 secrets.  In addition to
 reading and altering protected messages, the TLS 1.2 "master" secret confers the