IETF Logo Mail Archive

Re: [Lurk] 答复: 答复: 答复: Is this scenario covered by LURK?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 23 June 2016 09:06 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B7112DF98 for <lurk@ietfa.amsl.com>; Thu, 23 Jun 2016 02:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zttUJfvZdMMX for <lurk@ietfa.amsl.com>; Thu, 23 Jun 2016 02:06:06 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7F3E12DFFC for <lurk@ietf.org>; Thu, 23 Jun 2016 02:04:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id EF30ABE38; Thu, 23 Jun 2016 10:04:24 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQFT3G3zSGYs; Thu, 23 Jun 2016 10:04:22 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4B0AFBE32; Thu, 23 Jun 2016 10:04:22 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1466672662; bh=uGymxyZDn+lE3QRv2Me4ArLHLS/RgyT94t7oosSiajw=; h=Subject:To:References:From:Date:In-Reply-To:From; b=HHCvWdQYbqceV1LOZfp761MfYq8yYFOK4hyTyVMclVnVtcPcZca42IsGNpHl0xVul n3O40gX5VbtUY2+W6kZ9CYMXvBARKOGzp5pIEtTGpgiZOnS2tpBuQnidnweDUVxsW1 bfpHsaLCTYmnV3fvdT8PU+5FaUJWrMlxOZvTuEBs=
To: Youjianjie <youjianjie@huawei.com>, "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>, Daniel Migault <daniel.migault@ericsson.com>, "lurk@ietf.org" <lurk@ietf.org>
References: <D390086C.6A76E%thomas.fossati@alcatel-lucent.com> <F6C28B32DA084644BB6C8D0BD65B669DC0C87E@NKGEML515-MBX.china.huawei.com> <576A66C7.1080602@cs.tcd.ie> <F6C28B32DA084644BB6C8D0BD65B669DC0CD7D@NKGEML515-MBX.china.huawei.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <576BA616.7070101@cs.tcd.ie>
Date: Thu, 23 Jun 2016 10:04:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <F6C28B32DA084644BB6C8D0BD65B669DC0CD7D@NKGEML515-MBX.china.huawei.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040602060203090704060008"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/Gv9iCvmq0QSTteNrGGCyk86qFko>
Subject: Re: [Lurk] 答复: 答复: 答复: Is this scenario covered by LURK?
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 09:06:09 -0000


On 23/06/16 09:13, Youjianjie wrote:
> Hi Stephen,
> 
> I read RFC2804. I'm confused about the problem for the middle-box use
> case. In this use case, the sending party, the recipient party and
> the middle-box are all know about the traffic management. 

"Traffic management" here being a euphemism for TLS MitM I guess.

> The
> assumption is they've negotiated and agreed for doing this. Is it
> still inconsistent with RFC2804?

IMO, practically, yes. Standardising a TLS MitM is exactly the kind
of thing that is not consistent with RFC2804. And that has been
proposed and rejected numerous times. Please see the httpbis and TLS
WG archives for discussion that we ought not repeat here for the N-th
time.

Second, any assumption that the TLS client is modified, is also, I
think, likely best considered out of scope of LURK. The one use-case
on which we clearly have interest involves browsers and CDNs and web
sites. Browsers afaik have zero interest in enabling a new TLS MitM
(I certainly hope they don't) no matter how such a "feature" is
named.

ISTM that this thread is a side-track that leads nowhere.

S.

> 
> Thanks, Jianjie
> 
>> -----邮件原件----- 发件人: Stephen Farrell
>> [mailto:stephen.farrell@cs.tcd.ie] 发送时间: 2016年6月22日 18:22 收件人:
>> Youjianjie; Fossati, Thomas (Nokia - GB); Daniel Migault;
>> lurk@ietf.org 主题: Re: [Lurk] 答复: 答复: Is this scenario covered by
>> LURK?
>> 
>> 
>> 
>> On 22/06/16 09:40, Youjianjie wrote:
>>> It is about decryption under the negotiation agreement among the
>> participated parties.
>> 
>> Not wearing any hats, but if work in lurk is inconsistent with 
>> RFC2804 that will IMO be a significant negative.
>> 
>> I'd say there are use-cases for lurk that don't have that problem 
>> and that developing those would be more productive.
>> 
>> S.
>> 
>> PS: I'd say exactly the same about using spud/plus to do things 
>> that RFC2804 says we don't do so this isn't really a "what venue" 
>> issue.
>

v2.23.0 | Report a Bug | By Email