MLS or TLS? There is more than one encryption option.
Phillip Hallam-Baker <hallam@gmail.com> Fri, 15 November 2013 19:56 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1970721F9FE9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Nov 2013 11:56:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=4.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuJa9nH5D5Kb for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Nov 2013 11:56:08 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 54BDE11E821F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Nov 2013 11:55:58 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1VhPUU-000710-9f for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Nov 2013 19:55:42 +0000
Resent-Date: Fri, 15 Nov 2013 19:55:42 +0000
Resent-Message-Id: <E1VhPUU-000710-9f@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <hallam@gmail.com>) id 1VhPUJ-00070G-1v for ietf-http-wg@listhub.w3.org; Fri, 15 Nov 2013 19:55:31 +0000
Received: from mail-lb0-f169.google.com ([209.85.217.169]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <hallam@gmail.com>) id 1VhPUH-0000bP-W4 for ietf-http-wg@w3.org; Fri, 15 Nov 2013 19:55:31 +0000
Received: by mail-lb0-f169.google.com with SMTP id x18so1942733lbi.0 for <ietf-http-wg@w3.org>; Fri, 15 Nov 2013 11:55:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=kLcjNJSw17AGnFtA/TQdnPdabNPq5zmMnYkuUeB8TG0=; b=zmWf4s4YJHq3khkDmSDQ0xV5EekSfOMOaPiDiQGLKzAHIH8xKQQooy+1QPAPihLw4k LrN6WccTW/X2NaG3a82VY5614F2yGnFYfR+2/SpaCWmEJXU2QaSvOZCYHq46kle+e42D OBZH48I/u3bmJ9ErbN4oY14oChHKMIvAJIakqmC6q9XBoKWAx0gWjqQCcj+ub55UeOpb YyIzVi4FJPC44Qny5JYbxSl77lML7OC5C1zNSUKVyToypCdDvC8be5eO1F+KRLG+L0KE lUWDd0hkaT41f9brOzj0nJgqPubOhfWnfxYGTpl08Q2zd08RQbrch44U5kRElqNp105k 2RJg==
MIME-Version: 1.0
X-Received: by 10.112.172.137 with SMTP id bc9mr4897358lbc.21.1384545303327; Fri, 15 Nov 2013 11:55:03 -0800 (PST)
Received: by 10.112.46.98 with HTTP; Fri, 15 Nov 2013 11:55:03 -0800 (PST)
Date: Fri, 15 Nov 2013 14:55:03 -0500
Message-ID: <CAMm+LwitCMbU5Xo_fpDfjZGkZEa9H=qgoe=fneFN_SKFp2bTZg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c26456faf94404eb3c929e"
Received-SPF: pass client-ip=209.85.217.169; envelope-from=hallam@gmail.com; helo=mail-lb0-f169.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.705, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1VhPUH-0000bP-W4 484f167336000998eb3c24f6dd715cc2
X-Original-To: ietf-http-wg@w3.org
Subject: MLS or TLS? There is more than one encryption option.
Archived-At: <http://www.w3.org/mid/CAMm+LwitCMbU5Xo_fpDfjZGkZEa9H=qgoe=fneFN_SKFp2bTZg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/20705
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I have heard all the tactical reasons for wanting TLS as a mechanism for proxy busting. I do not accept these because however awful people think proxies are, they were invented for a purpose. Moreover I think that people are ignoring many of the practicalities of how TLS is supported by commercial providers. Whether you like the business models of the ISPs or not, there will be no deployment of HTTP 2.0 without them. Most ISPs provide HTTP 1.0 and DNS names at or below cost. Their primary means of making profits is to sell premium services. The only premium service that has not ended up being commoditized is selling SSL/TLS certificates. >From a technical point of view, TLS has two major impediments, first the stack is huge and proposing to use a subset does not make things any easier. The only part that can be easily separated from the rest is the PKIX stack but separating out all the dependencies would be many years of work for most of the systems out there. It really would be easiest to write a TLS-Lite stack from scratch rather than try to cut down the existing libraries. And that is before we get to the fact that it would take five years to agree on what TLS-Lite should contain. I propose that we go a different route for preventing pervasive surveillance, one that protects the HTTP content against a passive attack, has negligible additional overhead other than the actual encryption cycles and is compatible with the existing semantics of TLS. >From a marketing point of view I think the group is shooting itself in both feet (and other parts) with its message that HTTP/2.0 is much faster than HTTP/1.0 until you use the mandatory encryption which makes the transition a wash. It is quite easy to design a scheme that has these properties with a small fraction of the complexity of TLS-Lite. All that is required is a lightweight key exchange in the headers plus a Content-Encrypted header. I have even written code for such a scheme recently, albeit with Web Services in mind. This is the scheme that I subsetted to come up with the HTTP Session-ID proposal: https://datatracker.ietf.org/doc/draft-hallambaker-httpsession/ This draft does not have the DH key agreement or the encryption described but the code works and the whole package is only about 300 lines of C plus whatever the crypto libraries need (my estimate may be off as I write in C#). I took the encryption layer out for two reasons. First I thought it might shoot the chances of getting a standard in the IETF. But the more important reason was that I wanted to keep that capability as a silent, latent capability that could be turned on in case of future need such as another Arab Spring situation. Now that we are going to be going for preventing pervasive surveillance, I think we should add a Message Layer Security scheme to HTTP to complement TLS. In cases where the initial key exchange is supported by TLS, we can use channel binding to connect the two. We can also provide a mechanism to authenticate the MLS layer (which would be optional). But either scheme could be used independently. The advantage of using MLS and TLS in combination is that they both serve different security requirements. Pervasive encryption is a good idea but not if the cost is to weaken the security of a deployed system that works. We already have a TLS system that works well. I have no objection at all if the HTTP-BIS WG wants to mandate use of TLS with the WebPKI. But I don't think that is what is being proposed. What I think is being proposed is to wreck the only widely deployed security infrastructure that we have today by offering a 'lite' version that busts holes in the trust model. And that is not going to happen. -- Website: http://hallambaker.com/
- Re: MLS or TLS? There is more than one encryption… Tobias Gondrom
- MLS or TLS? There is more than one encryption opt… Phillip Hallam-Baker
- Re: MLS or TLS? There is more than one encryption… Poul-Henning Kamp
- Re: MLS or TLS? There is more than one encryption… Nicolas Mailhot
- Re: MLS or TLS? There is more than one encryption… Bruce Perens
- Re: MLS or TLS? There is more than one encryption… Phillip Hallam-Baker
- Re: MLS or TLS? There is more than one encryption… Poul-Henning Kamp
- Re: MLS or TLS? There is more than one encryption… Stephen Farrell
- Re: MLS or TLS? There is more than one encryption… Phillip Hallam-Baker
- Re: MLS or TLS? There is more than one encryption… Stephen Farrell
- Re: MLS or TLS? There is more than one encryption… Phillip Hallam-Baker