Re: TLS on disconnected/intermittently connected networks

Keith Moore <moore@network-heretics.com> Thu, 04 March 2021 19:59 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574113A1572 for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 11:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FnGQIlqiigC for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 11:59:49 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04AFD3A156C for <ietf@ietf.org>; Thu, 4 Mar 2021 11:59:49 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 567E75C00F3 for <ietf@ietf.org>; Thu, 4 Mar 2021 14:59:48 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Thu, 04 Mar 2021 14:59:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=POFus0 1MBcUhq5GltUwMvGKlaGVYXqKATOtYWRCNKO4=; b=w1u6i+WP+t29323R1pNYax xg8T+Fu/gYOUt3CzJAKiTztFynxyk6eF4TSLhqqfUjMiuctSX+VMauJAWMCqQP5f ctWS4rmdfTcCCaz2wDl20I6CgyAoWdTvVouwqp6RkPV00Xv8nkBuoosC2DcuHInJ 6MWO/qTIqwdzDUm0XLabZd04f9UyYdxx81pKsVG+33cx944felHVJmZsVtz+qSF/ Xx15HMrfkXvemqYZ6WDzsLWbC2r1H+MomzQrOx7OT5s+S9Nlre8m9tVagdGHdQH3 +s1qogiFJKyjhigfxtL7zmGqHGlWS/61/TXwrdlVXceAj3t24yjJ3QQeaNhRvk/w ==
X-ME-Sender: <xms:NDxBYAFpS_a0BmXd2F1Wm6R3fXq98CkrxY-Aa9cBMNwz1RwVxndHAw> <xme:NDxBYJW3VJHQ9bsQwkH_RzqHQW1jSH5g_ZNzZrFXvRdV1rq4sCExU1MvpvLpXDeuh wOoY4agMNm2Zg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddtgedguddvfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtd erredtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeevfeetudeige dtledvvddtudefjeejffdvfeetjeeiueelgfdtgfegtdffkeetudenucfkphepuddtkedr vddvuddrudektddrudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:NDxBYKJgvmhw7vBfFdfAkh6B2pC7Ysww3PulDaSCkujnBD5LNik0ag> <xmx:NDxBYCEdHHpEqLOzTA8zdJpR63KN79W0gL7WbaNyJbCYRB_uGA0OdQ> <xmx:NDxBYGXR0_StNThi803-UPbjbz94hkDZy_NLyfLvYz9jd0kdvcZl-Q> <xmx:NDxBYPXYhe7_Ce_TbSzliHwlPRRJuo2pwQ2a5v5mRfqCA9TZV9IEWQ>
Received: from [192.168.1.90] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id F100C1080054 for <ietf@ietf.org>; Thu, 4 Mar 2021 14:59:47 -0500 (EST)
Subject: Re: TLS on disconnected/intermittently connected networks
To: ietf@ietf.org
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <3f4db10c-dd92-354b-4fc9-6f14f4383454@network-heretics.com> <809967EB-F315-48D9-A301-73DFA4212FDE@dukhovni.org>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <f9ad3bdd-3768-8c5f-a98c-73249f9a5ac3@network-heretics.com>
Date: Thu, 4 Mar 2021 14:59:47 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <809967EB-F315-48D9-A301-73DFA4212FDE@dukhovni.org>
Content-Type: multipart/alternative; boundary="------------FD2B4C0B359825D6D9574597"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/dVeDeddcJjWbYhYIz-yxFl6YbBY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 19:59:50 -0000

On 3/4/21 2:46 PM, Viktor Dukhovni wrote:

>> On Mar 4, 2021, at 4:44 PM, Keith Moore<moore@network-heretics.com>  wrote:
>>
>> There are lots of applications (including but not limited to ordinary web browsers and servers) running on disconnected and intermittently-connected networks out there that need encryption, and which can't practically use TLS, because they don't use DNS or even host files.   But it's not a limitation of the TLS protocol so much as of the APIs and the code that does certificate verification.
> TLS without DNS name checks and/or without any hierarchical PKI
> is directly supported by OpenSSL.

Yes I know.  But people need web browsers that can do this.  And there's 
still a need to thwart active attacks in such environments.

IOW it's not only TLS and X.509 that are needed, but a stack (including 
browser) that can use these without needing DNS or external connectivity.

Keith