IETF Logo Mail Archive

Re: [arch-d] Off topic [was: IAB Statement on Encryption and Mandatory Client-side Scanning of Content]

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 19 December 2023 22:30 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79A0C151072 for <architecture-discuss@ietfa.amsl.com>; Tue, 19 Dec 2023 14:30:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Level:
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UBgoHl52pf83 for <architecture-discuss@ietfa.amsl.com>; Tue, 19 Dec 2023 14:30:13 -0800 (PST)
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85527C151070 for <architecture-discuss@ietf.org>; Tue, 19 Dec 2023 14:29:54 -0800 (PST)
Received: by mail-ot1-f54.google.com with SMTP id 46e09a7af769-6d9dc789f23so3667054a34.3 for <architecture-discuss@ietf.org>; Tue, 19 Dec 2023 14:29:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703024994; x=1703629794; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MMHLUfJc/wvhWq9OB7znvzURoBf3jStplNQwfZrsX7k=; b=xFXXwjpFb01ewLFdjScnP5qmcvKTm6nJDpPQ4S6peW6DZOaf2JdmMjbgs3OIv1Szla w/b83XTbDe7ETddnZv7j8ApozNuO0UbzW8ZvFRVOjoFqpp9geTHhijER9SjepZB2sSKM m5yJ1DNqcrk22tQmPAnhmuLrLqFRkFYOAD/NfEfJK2c58hMfdVN1JeC6Kna4LBnZ2rwX G44nKKM93iXHXVFx2AGEEwjDadoyHzaXV965Plr+xbYn0nAc+mdul3eVRZuoYtF0+fQK 2DrGrI/DCCeZlwOfmoVci+smE+1v9gAdwQaw4l8GvD1X6Lo/XYyvqi2V9EqXHUYspT9E evBg==
X-Gm-Message-State: AOJu0YyG2l0zWzkwm4F6ZPw7GKQDpul6G2QTxM7sOjCpQV++mFohBHul +vnYIICxRzoQtRbzUUrvfXSLZhOPqc1TRRBLTzR382QRpmg=
X-Google-Smtp-Source: AGHT+IGpItquC4eM+1A7VvpKwSzUwACRtcCQSOEVYBMEZfNjIGwMcWFnL/7pAeeoPTOo5JBkOS3ZHesMMsukzc+nMyE=
X-Received: by 2002:a05:6830:1b70:b0:6db:a7f4:afa3 with SMTP id d16-20020a0568301b7000b006dba7f4afa3mr773952ote.2.1703024993706; Tue, 19 Dec 2023 14:29:53 -0800 (PST)
MIME-Version: 1.0
References: <170266952162.33107.14325064798861197261@ietfa.amsl.com> <6.2.5.6.2.20231216110256.18d0acd0@elandnews.com> <CWXP265MB5153610FBB98A7B06AF81040C290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CAKr6gn2Hf4N+DgKHKyO+i3T3OJyYRBJhH1AdQf-uXZ0xKmJ4Eg@mail.gmail.com> <CWXP265MB515381523714FF99524410CFC290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <790032a6-24f6-60d1-fb60-4b44bd447bde@gmail.com> <fadd9250-4b31-4bf5-aa76-4f37d24fd650@cdt.org> <02ae01da31f2$80580630$81081290$@olddog.co.uk> <c96e396d-fc05-4bdd-a047-012cbf7366c1@cdt.org> <CAFvDQ9ouHUpn8PqcNLxT0yKGh+mPeOZE_g7a8Nz+rOzEViVL=g@mail.gmail.com> <e9f0c20a-f06c-eb8c-3261-b9c5a7f21b5f@gmail.com>
In-Reply-To: <e9f0c20a-f06c-eb8c-3261-b9c5a7f21b5f@gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 19 Dec 2023 17:29:41 -0500
Message-ID: <CAMm+LwhsEAo=E_x2DLupzGWGou1z1vQEEUiG77oGvxx0QwRaCw@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Hesham ElBakoury <helbakoury@gmail.com>, architecture-discuss@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cb2778060ce467c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/HHD14derxl8NqR5MyGnG-H2ctHo>
Subject: Re: [arch-d] Off topic [was: IAB Statement on Encryption and Mandatory Client-side Scanning of Content]
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2023 22:30:17 -0000

On Tue, Dec 19, 2023 at 5:00 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> Hesham,
> On 19-Dec-23 11:59, Hesham ElBakoury wrote:
>
> > Nubeva has developed technology to extract TLS keys to be used by 3rd
> party tools to decrypt and inspect the traffic [
> https://www.nubeva.com/hubfs/Downloadables/Nubeva%20SSL%20Solution%20Brief_Nov%202019.pdf
> ].
> >
> > Would this violates client privacy?
> >
>
> I may be missing something, but I don't understand how this product could
> work unless the "Sensor" component is configured with the server's private
> keys. Is that correct?
>

Not if the client or the server is leaking the session keys in-band.

There is no statement to the effect that it doesn't require endpoint
modification.

This sort of mechanism is deployed inside environments like process control
where you don't want to have any communications that can't be monitored. An
engineer trying to work out what is happening on a nuclear site has to be
able to read absolutely every piece of traffic on the SCADA network.

v2.23.0 | Report a Bug | By Email