Re: [Atlas] Status Update

Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> Tue, 19 June 2018 17:53 UTC

Return-Path: <mirja.kuehlewind@tik.ee.ethz.ch>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96B0C1311B4 for <atlas@ietfa.amsl.com>; Tue, 19 Jun 2018 10:53:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMCzbKWvbiRN for <atlas@ietfa.amsl.com>; Tue, 19 Jun 2018 10:53:01 -0700 (PDT)
Received: from virgo02.ee.ethz.ch (virgo02.ee.ethz.ch [129.132.72.10]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19EE81311AF for <atlas@ietf.org>; Tue, 19 Jun 2018 10:53:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by virgo02.ee.ethz.ch (Postfix) with ESMTP id 419FtM4sdsz15MC9; Tue, 19 Jun 2018 19:52:59 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at virgo02.ee.ethz.ch
Received: from virgo02.ee.ethz.ch ([127.0.0.1]) by localhost (virgo02.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9aEBgOBwx3I; Tue, 19 Jun 2018 19:52:57 +0200 (CEST)
X-MtScore: NO score=0
Received: from [82.130.103.20] (nb-10688.ethz.ch [82.130.103.20]) by virgo02.ee.ethz.ch (Postfix) with ESMTPSA; Tue, 19 Jun 2018 19:52:57 +0200 (CEST)
To: atlas@ietf.org, Tommy Pauly <tpauly@apple.com>, Chris Wood <cawood@apple.com>
References: <VI1PR0801MB2112385E74223CC722B0E2A1FA7B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <OF2AB8BDA9.34065D36-ON652582B1.00498E9D-652582B1.00498EA3@tcs.com>
From: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Message-ID: <ee2be3a1-77ba-f471-a7a4-cecff6472d65@tik.ee.ethz.ch>
Date: Tue, 19 Jun 2018 19:52:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <OF2AB8BDA9.34065D36-ON652582B1.00498E9D-652582B1.00498EA3@tcs.com>
Content-Type: multipart/mixed; boundary="------------E41CFD66500739234FB550C2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/DhjvshopK_16slJmtCrttOH1dkw>
Subject: Re: [Atlas] Status Update
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 17:53:05 -0000

Hi all,

writing as an individual contributor, not an IESG member.

I just briefly looked at draft-friel-tls-atls-00 and when I saw Figure 
6, I have to say that I do wonder a bit what additional standardization 
is needed here. The new parts are the key export and the App Data Crypto 
box. However, the key export is mainly an interface question and to my 
understanding there are by now already libraries that provide the needed 
interface for quic. And the actual app data crypto should be rather 
straight forward and probably does not need that much standardization...?

In the context of taps, however, we've been thinking about how to even 
more generalize this approach (in figure 6). The two points I think 
could be generalized here even more are

1) The TLS handshake should be completely separated from the crypto and 
could be run directly by the TLS stack without "tunneling" it through 
the application. Effectively, in theory the handshake would not even 
need to use the same transport connection or transport protocol than the 
application (also it probably could).

This also something we discuss/propose in this draft as input for taps:
https://tools.ietf.org/html/draft-kuehlewind-taps-crypto-sep-02

2) The TLS handshake could negotiate within one handhshake multiple key 
shares that can be used on different layers for different protocols and 
algorithms. I guess that is more a question/request for the TLS working 
group but goes into the same direction of separating handshake/control 
and the actual crypto more.

Mirja



On 19.06.2018 15:23, Abhijan Bhattacharyya wrote:
> Hello Hannes,
> Thanks for the update. The revise charter looks good. So what can we 
> expect in Montral? Do we expect another attempt towards a BoF?
> I have a view against the particular observation of low activities in 
> the mailing list. I think what ATLAS is trying to do is to collect and 
> coordinate between different relevant stray proposals (which may have 
> already been worked out) under a single consolidated standardization 
> effort. So, the activities are waiting at a threshold of a coordinated 
> future progress. But, more activities in this list is definitely a 
> proposition to establish the point of interest for the IETF community.
> 
> With Best Regards
> Abhijan Bhattacharyya
> Associate Consultant
> Scientist, TCS Research
> Tata Consultancy Services
> Building 1B,Ecospace
> Plot -  IIF/12 ,New Town, Rajarhat,
> Kolkata - 700160,West Bengal
> India
> Ph:- 033 66884691
> Cell:- +919830468972
> Mailto: abhijan.bhattacharyya@tcs.com 
> <mailto:abhijan.bhattacharyya@tcs..com>
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty. IT Services
> Business Solutions
> Consulting
> ____________________________________________
> 
> 
> -----"Atlas" <atlas-bounces@ietf.org <mailto:atlas-bounces@ietf.org>> 
> wrote: -----
> To: "atlas@ietf..org <mailto:atlas@ietf.org>" <atlas@ietf.org 
> <mailto:atlas@ietf.org>>
> From: Hannes Tschofenig
> Sent by: "Atlas"
> Date: 06/08/2018 05:14PM
> Subject: [Atlas] Status Update
> 
> Hi all,
> 
> Owen and I submitted another BoF proposal to the IESG based on the 
> feedback from the last IETF meeting.
> 
> Here is the most recent charter text we came up with:
> 
> ---
> 
> There are multiple scenarios where clients and servers need to negotiate 
> shared encryption keys and establish secure, authenticated, 
> integrity-protected, end-to-end encrypted sessions at the application 
> layer over untrusted transport. There are a proliferation of transport 
> protocols and mechanisms in use today across web and IoT use cases 
> including, but not limited to, TCP, UDP, IP, Bluetooth and Zigbee. 
> Additionally, network topologies often include middleboxes and proxies 
> that terminate transport layer connections from clients and re-originate 
> new transport layer connections towards the servers. From the clients 
> and servers perspective, these transport layer proxy functions are 
> untrusted and application data must be protected and encrypted, and not 
> exposed to these proxies. There are multiple potential mechanisms that 
> could be considered for negotiation of encryption keys, and 
> establishment of end-to-end encrypted sessions at the application layer 
> between clients and servers, and this working group proposes use of 
> existing (D)TLS protocols and stacks.
> 
> This working group proposes reuse of (D)TLS at the application layer as 
> a simple and straightforward means of achieving the security and 
> implementation goals. The primary purpose of the working group is to 
> develop specifications defining how (D)TLS can be leveraged at the 
> application layer (i.e. Application Layer TLS or ATLS) to establish 
> end-to-end encrypted sessions over a multitude of different transports.
> 
> Additionally, during development of ATLS specifications, the working 
> group will consider and address concerns such as:
> 
> o complex, multi-hop and lossy transport topologies
> 
> o (D)TLS record fragmentation at the transport layer
> 
> o middlebox operators whose goals include interception of application 
> layer data
> 
> The working group will engage with other relevant working groups across 
> the Applications and Real-Time Area (art), Security Area (sec) and 
> Transport Area (tsv), and one of the goals of this working group is to 
> explicitly identity all related working groups that must be consulted 
> during ATLS specifications development.
> 
> ---
> 
> There do not seem to be minutes available from the IESG/IAB BoF 
> discussions and how they reached their conclusions. So, we can only 
> report what has been told to us by proxy.
> 
> In any case, the IESG rejected the BoF proposal.
> 
> The impression from the IESG was that the Bar BOF in London produced 
> mixed feelings and that there was no activity on the list afterwards.
> 
> Another comment was that the required standardization effort is too 
> small to justify the setup of an entire working group.
> 
> At first, this sounds a bit negative. On the other hand, we have two 
> implementations right now. While they need to be polished I believe this 
> is something we could go forward with.
> 
> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy 
> the information in any medium. Thank you.
> _______________________________________________
> Atlas mailing list
> Atlas@ietf.org <mailto:Atlas@ietf.org>
> https://www.ietf.org/mailman/listinfo/atlas
> 
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
> 
> 
> 
> _______________________________________________
> Atlas mailing list
> Atlas@ietf.org
> https://www.ietf.org/mailman/listinfo/atlas
>