Re: TLS on disconnected/intermittently connected networks

Keith Moore <> Thu, 04 March 2021 21:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E63B43A169E for <>; Thu, 4 Mar 2021 13:05:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QhpjeJib2YnB for <>; Thu, 4 Mar 2021 13:05:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBB083A169D for <>; Thu, 4 Mar 2021 13:05:23 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 392975C018B for <>; Thu, 4 Mar 2021 16:05:23 -0500 (EST)
Received: from mailfrontend2 ([]) by compute4.internal (MEProxy); Thu, 04 Mar 2021 16:05:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=qedKkFSzbG2D6XZkwwUhENhxqk+5FyEN5CSuKb/aD lA=; b=cM4V069BgYxYIqlMcCKO0RrQkhLzcKaPkx59P/GDQun/9YFjQLk5bXqDk CQItfI+Ai46GlARV2HYlxT+fLtg5kvpjhMDztKyGM//ANhGH1lgTYEnmtspLP072 Py19uY9WO141ikMmtFOxbPRhQV8UX82tMQDTXt3x+Am/nGvzlGA5DyFRFJYzWoq4 0OgeBRljKrJAvTuHi7msp0aYxi/j6hlgD4wFtRshkmWsBu402k5Xv+hrJOFbkGvd /cGVZ73pGojW+RUzoxRnZUwIi2XqtUEG0nyelBORh1LFtSGphr5oS7P4ZLqjwfv1 4mydJl/GInxAeE+p1asWuAQCKDEkA==
X-ME-Sender: <xms:kktBYJS9_mZBUaZCF94dl0DoiJeScXtmfglPiy8UZNctSog8RJ3ULw> <xme:kktBYHGb0XIjbBVfOuJV3Wn7tKGqrWzOiH_7Beip1pw_391A26TGvWRc55zka0lz7 JtFr4iwCA41Qw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddtgedgudefgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesth ekredttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhephefhuedthe efgfefgffhkeehgfeugfeiudeugeejkeefleelueeiffetfeeuudeunecukfhppedutdek rddvvddurddukedtrdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:kktBYN9np1rZA9DAEwdGWI_0wZ5zvsmds5lb_nSzr6LfvMEYSijQjg> <xmx:kktBYJKL_9VhkjFUUd9F2Cx1JMSbwidARxWnWRelA5MSz9U2V8WP6w> <xmx:kktBYIahSTC2hQ5xmQrc0WYz6bREQbJzE3V7SicN0qwtKX-1h8gCNQ> <xmx:k0tBYAoWDsAy7oCszp-TexO3vqfBwPzK5bzQ0PjltPXMjbgAqW2iLw>
Received: from [] ( []) by (Postfix) with ESMTPA id 683EB1080059 for <>; Thu, 4 Mar 2021 16:05:22 -0500 (EST)
Subject: Re: TLS on disconnected/intermittently connected networks
References: <20210302010731.GL30153@localhost> <> <> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Thu, 4 Mar 2021 16:05:21 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 21:05:26 -0000

On 3/4/21 3:52 PM, Sam Hartman wrote:

>      Keith>    IOW it's not only TLS and X.509 that are needed, but a
>      Keith> stack (including browser) that can use these without needing
>      Keith> DNS or external connectivity.
> I've been doing this a fair bit for isolated networks for cyber training
> and for other things in that space.
> We end up providing a DNS and a PKI etc.
> At this point it's going to be simpler to provide some good devops'd dns
> and PKI than to go develop a custom browser.

I've written code for a variety of environments like these for the last 
13 years or so: gas pipeline monitoring, broadcast television 
operations, traffic signal monitoring/control, factory 
monitoring/automation, avionics, cryogenic dewar monitoring for various 
kinds of environments, and some others that don't come to mind 
immediately.   For the environments I've worked with, any of that kind 
of stuff would be a non-starter.     DNS is rightly seen as yet another 
reason for things to fail, and factories, gas pipelines, etc. are 
intolerant of lines being shut down because some IT guy wanted to use a 
name rather than an IP address. Static IPs work just fine for these 
situations.   External connections are also regarded as security threats 
and generally forbidden, which is not to say that the rules are never 
bent or that nobody every plugs in a nomadic laptop.

So they do need better protection against threats and sometimes they'll 
even admit it (the customers more than the equipment manufacturers), but 
the Big Internet assumptions don't work for them.