Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Ben Schwartz <bemasc@google.com> Mon, 27 July 2020 13:30 UTC
Return-Path: <bemasc@google.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880E53A1994 for <opsec@ietfa.amsl.com>; Mon, 27 Jul 2020 06:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpCDWLkZAZkM for <opsec@ietfa.amsl.com>; Mon, 27 Jul 2020 06:30:50 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF0343A19F4 for <opsec@ietf.org>; Mon, 27 Jul 2020 06:30:48 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id a15so14892758wrh.10 for <opsec@ietf.org>; Mon, 27 Jul 2020 06:30:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lRsu08mFcYpK5vorhaOI8torCSHgQ9jMnqLsjF+svH4=; b=vXUHiihnP+s5YR4uxLXcIlGLuGqwCN8I0rOumBkPDlSqU9d15I8FFxCVnO0MVF8g6m NuT7QsZHULNvOxu9qxbZZA66PcMY7kXIYUF5A9A9kXkSptVwZVOqq6BNgNtw6p9rSViB GHF4w0Snp/J17runTMyBBu728WYlWPYzgS9iVyR70/M85qcdMbcGe4qmUYLB1u1qVUL4 Qicp0FfLGEEYtYcwakA6jv9wK4ts9omaH7T2HgkNYhiWnmIo86jmzX8g0Wp01PCchBzc FekANS3JcfUhl+8VQ5o3PAkcowwIsPUSdZq24MCCtra6JuhCqTnSE41v1GHiwuvaBFwK DRyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lRsu08mFcYpK5vorhaOI8torCSHgQ9jMnqLsjF+svH4=; b=mjqQ5TjCnWhMRUPC2X3CxYYRMfGyyURl4/6J0FkJWLX6lCppWukIFlpVvVTh6q+hI8 vG0tN1Zc1g0+BTdy200/ugBQxMZaqFpk8jl321+zL8+92fXbj0/dRe23hv85pPcpN37K 7eX41u0KviAE6gmyG03wCcIqekDcWwNreKesXxQyRc/0e+VkzuGSSqub2JgvZfvrKFOS jQZiK+4IOaKkKXS99ScIJ4ESumI5V50b2pLn/rHfoqEf1T4QBTvCw8k3hrjyn7dlBy14 FsM0g4/DBGfuKQbG3pHRAwm2wmYXzMTIZcV4/nNXpbN5Fuh2pR+DSDiJmrHS68MEmGU5 SgZA==
X-Gm-Message-State: AOAM533GHvs7CCMh/j/RZ5+EPdNW0Wq3W+93fQNXxzqbZgi44X1LN07k VkVU1wEHlA67LQIEyzh7tHb7DV0sl37uTMRvYexLEw==
X-Google-Smtp-Source: ABdhPJyF5mix/bZQbRzs9XFCxpzTfqZOFlkE+JbKCzm1XXzWOxC26iQjlDdLfS7PrufC3DxiEEaMyg2811JPGLTvsjk=
X-Received: by 2002:a5d:43c4:: with SMTP id v4mr19088055wrr.426.1595856647086; Mon, 27 Jul 2020 06:30:47 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com>
In-Reply-To: <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 27 Jul 2020 09:30:35 -0400
Message-ID: <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000964cb705ab6c54b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/3OTuMSGxaAGFoTSCf0flAtW9jnQ>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 13:30:53 -0000
I'm concerned about this work happening outside the TLS working group. For example, the question of proper handling of TLS extensions is not addressed at all in this draft, and has significant security and functionality implications. There are various other tricky protocol issues (e.g. version negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start, round-trip deadlock when buffers fill, ticket (non-)reuse, client certificate linkability pre-TLS-1.3, implications of SAN scope of synthesized certificates) that could arise and are going to be difficult to get right in any other WG. The title "TLS Proxy Best Practice" implies that it is possible to proxy TLS correctly, and that this document is the main source for how to do it. I think the TLS WG is the right place to make those judgments. For the OpSec group, I think a more appropriate draft would be something like "TLS Interception Pitfalls", documenting the operational experience on failure modes of TLS interception. On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing= 40cisco.com@dmarc.ietf.org> wrote: > The document is not imposing any standards but rather provide guidelines > for those implementing TLS proxies; given that proxies will continue to > exist I'm not sure why there is a belief that the IETF should ignore this. > > Warm regards, Nancy > > On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" < > opsec-bounces@ietf.org on behalf of uri@ll.mit.edu> wrote: > > I support Stephen and oppose adoption. IMHO, this is not a technology > that IETF should standardize. > > > On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" < > tls-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote: > > > I oppose adoption. While there could be some minor benefit > in documenting the uses and abuses seen when mitm'ing tls, > I doubt that the effort to ensure a balanced document is at > all worthwhile. The current draft is too far from what it'd > need to be to be adopted. > > Send to ISE. > > S. > > On 23/07/2020 02:30, Jen Linkova wrote: > > One thing to add here: the chairs would like to hear active and > > explicit support of the adoption. So please speak up if you > believe > > the draft is useful and the WG shall work on getting it > published. > > > > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica > > <rbonica=40juniper.net@dmarc.ietf.org> wrote: > >> > >> Folks, > >> > >> > >> > >> This email begins a Call For Adoption on > draft-wang-opsec-tls-proxy-bp. > >> > >> > >> > >> Please send comments to opsec@ietf.org by August 3, 2020. > >> > >> > >> > >> > Ron > >> > >> > >> > >> > >> Juniper Business Use Only > >> > >> _______________________________________________ > >> OPSEC mailing list > >> OPSEC@ietf.org > >> https://www.ietf.org/mailman/listinfo/opsec > > > > > > > > -- > > SY, Jen Linkova aka Furry > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [OPSEC] Call For Adoption: draft-wang-opsec-tls-p… Ron Bonica
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Jen Linkova
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Tobias Mayer (tmayer)
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoptio… Andrei Popov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoptio… Roelof duToit
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… tom petch
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Paul Brears
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre