Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Eric Rescorla <ekr@rtfm.com> Thu, 30 July 2020 00:35 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id D15DD3A0AE1
for <opsec@ietfa.amsl.com>; Wed, 29 Jul 2020 17:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001,
URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yaKbIYmGVkgf for <opsec@ietfa.amsl.com>;
Wed, 29 Jul 2020 17:35:55 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com
[IPv6:2a00:1450:4864:20::232])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id CDF383A0A83
for <opsec@ietf.org>; Wed, 29 Jul 2020 17:35:54 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id b25so27016056ljp.6
for <opsec@ietf.org>; Wed, 29 Jul 2020 17:35:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=rtfm-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=kXetPutOfQyB2nQTflISzhEwxSlgF4BqOkvsGH6J2C8=;
b=ebMTxbIHLy4niyER/SZj7chr2ElMTFeJEZn0TWxD+dJEEMe0LEVpTnY+uEIWk4c/FM
lUbXEWqSCGIly5Y1+TcX+t9+S0EHT3N+UdeZ5Rqm1vWIXLhmtutu0tGTH12MnDmKHknR
Npesk02NdOge8/hEo0/fJEH/jjJ7z1lx3s2qwF69iUiuyYIQHwf4KInIglf0unblL5tq
WJn8Djlvqxzd9J1Yb3+Kbjs4Pcz1IV0OB0HzOEsHgFZrBbLaqsb77UW0k0n5o8J6uVs+
49y+nslVj2SQSriIRMDoGDeDtVqw74GqCgVPjwNt6i+MX/BO0QTp0wsZCrkDedD7/4+G
YG9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=kXetPutOfQyB2nQTflISzhEwxSlgF4BqOkvsGH6J2C8=;
b=rYs4mlX6m1HaOKaHpx8DhrHFF54gt1UsYk7K4ChU8nmuOlRyhO8YGJ82gmKouYInCn
XCnGD/aB/jxxY968631fD3LuROyY/b5pYmdBEz0K8dUwp4Wyyy701Ppa4ImazdYLP0Sb
Mi9TjH31TfO7OLTfx0pdTH+OJgwmdD1Jeb0keW7Wt9IMRHOFpCPmNfR4yw2mz+d8vSb5
mvgYHzyDagj19X/RzgnDAraeZzFrfsCWRLTQyMGHIaf+aY8O+IvzLz/u61GwJJNlCYsT
TLnjuBjxjkoGYaG9bAYc6xTob3ZAoBXcpUOE29ztPALVO7kUg91x1IT4Uvh2ocndrQRE
goLQ==
X-Gm-Message-State: AOAM533uzD7bqHnRswrYxfr1MuiJtdyYWeL58WbodauRkUMmiIX6miX5
UX/XKC9mqKu+61fsY8KvZxEC9c2DIHegRIO4RS690Q==
X-Google-Smtp-Source: ABdhPJz03D/QPnblX43ca314fQr5lsQ5aBEcGsWSO+3bL0SnSgLYV1iCDadYU7tatLJjpdZQtQ9Fk9CUJUH4nl0W8rw=
X-Received: by 2002:a2e:9d04:: with SMTP id t4mr198750lji.184.1596069352849;
Wed, 29 Jul 2020 17:35:52 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com>
<d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com>
<34226646-93F3-4592-A972-A55B160D5B78@cisco.com>
<CACdeXi+7oQgcg=-vFqxLnEFtg__6AehWXyE5ey8CBFiw9Vh8PQ@mail.gmail.com>
<F40B9423-B0D5-4993-8A3D-D875C62951E4@cisco.com>
<9e413fb1-da38-6a1f-8fca-a0dd5a6b6ebd@cs.tcd.ie>
<CABcZeBNyFBaHfKf5JGXb7BBc+pcwkLoSx2wYA63AZs0O-WRtug@mail.gmail.com>
<32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie>
In-Reply-To: <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 29 Jul 2020 17:35:16 -0700
Message-ID: <CABcZeBOfVxoyds+vntEs+7ttrVkd2ppEvX+TdshS=AxA3kUQ7Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>,
Nick Harper <nharper=40google.com@dmarc.ietf.org>,
Ron Bonica <rbonica@juniper.net>,
OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d05e3f05ab9ddae2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/2rFab7RK7Rp0SSqyEH2t9HvpAjA>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>,
<mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>,
<mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 00:35:58 -0000
On Wed, Jul 29, 2020 at 5:06 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 30/07/2020 00:56, Eric Rescorla wrote: > > What text in TLS do you believe terminating proxies (in either direction) > > do not conform to? > > I gtend to start with the abstract: "TLS allows > client/server applications to communicate over the > Internet in a way that is designed to prevent > eavesdropping, tampering, and message forgery." > > I think that text has remained through various > iterations. > Yes, and in this context, the MITM proxy is a server from the client's perspective and a client from the origin server's perspective. More importantly, the analyses done for tls1.3 > afaik do not consider such 3rd parties except as > an attacker. > I would say rather that those analyses consider them as protocol endpoints and address the two individual connections terminated by the proxy and have nothing to say about the composition of those two connections. I'm by no means denying the fact that MITM boxen > are deployed, but the idea that some of them are > "conformant" and some are not seems bogus. > Well, they are either conformant with the text of 8446 S 9.3 or they are not (and just to be clear, being conformant with 9.3 does not make them good for the reason indicated above). -Ekr
- [OPSEC] Call For Adoption: draft-wang-opsec-tls-p… Ron Bonica
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Jen Linkova
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Tobias Mayer (tmayer)
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoptio… Andrei Popov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoptio… Roelof duToit
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… tom petch
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Paul Brears
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre