[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

tirumal reddy <kondtir@gmail.com> Thu, 25 July 2024 11:19 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C132EC18DBBB for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQI1GVKDsl6I for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48938C18DB8B for <dnsop@ietf.org>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a7a9f831d47so2872466b.2 for <dnsop@ietf.org>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721906395; x=1722511195; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=X1441U53/evjmwnGEUdCB+ovmaY239xBVm8oNpE6gyY=; b=DpkYCtWybMCGqKnoFS9bd+RpdgK/6hx703hOsS3yHsVfEl89kf74p2ZojhuMHj0WT8 CJvTu8w88xHFmb6NqOZxNcgtVmvZn57q1NnIZcljCkaEKh4PGDtM89rbvjs8bm2u5qph 9R/hyrk4K2+fKwiPs3cC9zNMfHzNGnR2rNZjSOvLDdHwtONKX2aqtHRMvXXMY9rVDkZM 5Av9Z1YjxHvVjkiewupmINpmJ6g1t3CqcsbcgdMBzSadKj90IuAAM07Qb//8eVr8/Nx4 752j+0QqBm4e+8n5kbiCErNyj9jndWzsXJQ62pn21mM/zzuEmpTlOHirfrqIixbQNpmP SG1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721906395; x=1722511195; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=X1441U53/evjmwnGEUdCB+ovmaY239xBVm8oNpE6gyY=; b=scJUBP+UBvf+68sZoOv/5Jpvm8LyMnog/17vJRTt3XEi+Y+TCHsVJZqd7lZZQJhlYV sGkshnzav9/FZAbb9mu5pweI1h+1c0VkqY03u2PXtZTVCoM2xrqS74/HhzQtu2ZntG2S EOIb2RCsNxaaXG3MKFd7BGaXNO/P0no7VkRca9UUl+6K5fKatwo54ec3iXqRATe8k1on TIOn641lvAuzINPBe0dW0PFRfc4ef3nCi8gEILOS2soyonvN2144BcJ7rcdkrljVmjXS MvpZSPgY8yivxm9YO94Tt7241hs6gbA7IDk6hdloWLF6FlvAg63ctRqOXD64aYnHMn+C dEig==
X-Forwarded-Encrypted: i=1; AJvYcCXMH9XPN51/AO2NvWuqh6R3zT67WQYi0fnqVjBgkmRRZUUobwocKI9OUftB2zo2/5nFuenQAQ==@ietf.org
X-Gm-Message-State: AOJu0Ywp5UAu1QtZMWDIAdsUEbn7qtXKNjDCtr8U8B/PGExchrB2X7o1 eJJRDWB6ATWhPOpfhuaGiwFUkGX9OgsoNMoZY24+4WcR2WsHgz5JjmOgixCVx+zUajEAcrtLer8 YD3UXLFxqzfd13Z8U/TNRXKeQMGs=
X-Google-Smtp-Source: AGHT+IGWqpMtzOnJ22j3SQ4d4bfEs5BtRim7T55uUtqSZ6xHUedlUOsjhxrEYcTv3v11bqy7Tjsz/zvKUK/Os5CMv4c=
X-Received: by 2002:a17:907:9802:b0:a7a:9e11:e875 with SMTP id a640c23a62f3a-a7ac5b1ce00mr97097666b.6.1721906394896; Thu, 25 Jul 2024 04:19:54 -0700 (PDT)
MIME-Version: 1.0
References: <3321551.kGzlxMrEDr@heater.srcl.tisf.net> <4FF4AA72-5E91-4980-A4B4-80E59F64B76C@nohats.ca> <2334040.7YbXXFKy9f@heater.srcl.tisf.net> <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 25 Jul 2024 16:49:17 +0530
Message-ID: <CAFpG3gfX-fiB3j1m-ZGeq5+5RCwMXiHQdWfbQta17-zcG=Oa+Q@mail.gmail.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000012055061e109307"
Message-ID-Hash: TOQN2PG2ODRF5EWCAFP46B6S5XQS3NPD
X-Message-ID-Hash: TOQN2PG2ODRF5EWCAFP46B6S5XQS3NPD
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Vixie <paul@redbarn.org>, Paul Wouters <paul@nohats.ca>, Tommy Jensen <Jensen.Thomas@microsoft.com>, dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iN7b3Dd7kPnNyDNlLYl9viuh0dY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Wed, 24 Jul 2024 at 02:29, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
wrote:

> It seems like there's some confusion here.  ECH is an extension to TLS
> that is still under development (and now nearly final).  Use of ECH is
> optional in TLS 1.3.  Any entity that can control the TLS version in use
> also has the ability to disable ECH, so allowing TLS 1.3 does not require
> an administrator to permit ECH.
>

Yes. In addition, TLS 1.2 would reveal the device (or user) identity to
eavesdroppers and is not a viable option.

-Tiru


>
> --Ben Schwartz
> ------------------------------
> *From:* Paul Vixie <paul@redbarn.org>
> *Sent:* Tuesday, July 23, 2024 4:01 PM
> *To:* Paul Wouters <paul@nohats.ca>
> *Cc:* Tommy Jensen <Jensen.Thomas@microsoft.com>; Ben Schwartz <
> bemasc@meta.com>; dnsop <dnsop@ietf.org>; Damick, Jeffrey <
> jdamick@amazon.com>; Engskow, Matt <mengskow@amazon.com>; Jessica
> Krynitsky <Jess.Krynitsky@microsoft.com>
> *Subject:* Re: [DNSOP] Re: [EXTERNAL] New Version Notification for
> draft-tjjk-cared-00.txt
>
>
>
>
> --
> P Vixie
>
> On Tuesday, July 23, 2024 12:52:28 PM PDT Paul Wouters wrote:
> > On Jul 23, 2024, at 12:09, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
>
> wrote:
> > > Making TLS 1.2 available as a fallback is vital. Many secure private
> edge
> > > networks will never allow TLS 1.3 because of ECH.
> >
> > You can do TLS 1.3 without ECH ?
>
> if an endpoint wants TLS 1.3 with ECH, there's no way to negotiate them
> down
> to TLS 1.3 without ECH. there is a way to negotiate them down to TLS 1.2.
>
> > Making  a weaker version of TLS mandatory would be unwise, unless it’s to
> > give more time for migration away from it.
>
> migration for military, government, and many corporate networks can't
> happen.
> for reasons of law, regulation, or policy, they must see the client hello
> before they can decide whether to block the flow. "just secure your
> devices"
> can't work due to the way the supply chain works. the only alternative
> will be
> to block outbound entirely and force all traffic through a
> non-intercepting
> proxy.
>
> ietf knew this, but RFC 8890 forbade us to consider it. i was a dissenter.
> the
> fact that you refer to TLS 1.2 as "weaker" may indicate a preference that
> we
> mandate a technology that often _cannot_ be used even those the
> alternative
> ("effective mandate") will be a technology (explicit proxy) which is in
> fact
> weaker than TLS 1.2. we should not argue from talking points.
>
> don't put it in terms of migration. just recommend that fallback be
> allowed.
> 50 years from now, smarter people than us can think of a better way
> forward.
> as things are today, secure private edge networks including military,
> government, and many commercial networks, will not allow TLS 1.3 to be
> used.
>
> paul
>
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>