Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Ben Schwartz <bemasc@google.com> Mon, 27 July 2020 13:30 UTC

Return-Path: <bemasc@google.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880E53A1994 for <opsec@ietfa.amsl.com>; Mon, 27 Jul 2020 06:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpCDWLkZAZkM for <opsec@ietfa.amsl.com>; Mon, 27 Jul 2020 06:30:50 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF0343A19F4 for <opsec@ietf.org>; Mon, 27 Jul 2020 06:30:48 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id a15so14892758wrh.10 for <opsec@ietf.org>; Mon, 27 Jul 2020 06:30:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lRsu08mFcYpK5vorhaOI8torCSHgQ9jMnqLsjF+svH4=; b=vXUHiihnP+s5YR4uxLXcIlGLuGqwCN8I0rOumBkPDlSqU9d15I8FFxCVnO0MVF8g6m NuT7QsZHULNvOxu9qxbZZA66PcMY7kXIYUF5A9A9kXkSptVwZVOqq6BNgNtw6p9rSViB GHF4w0Snp/J17runTMyBBu728WYlWPYzgS9iVyR70/M85qcdMbcGe4qmUYLB1u1qVUL4 Qicp0FfLGEEYtYcwakA6jv9wK4ts9omaH7T2HgkNYhiWnmIo86jmzX8g0Wp01PCchBzc FekANS3JcfUhl+8VQ5o3PAkcowwIsPUSdZq24MCCtra6JuhCqTnSE41v1GHiwuvaBFwK DRyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lRsu08mFcYpK5vorhaOI8torCSHgQ9jMnqLsjF+svH4=; b=mjqQ5TjCnWhMRUPC2X3CxYYRMfGyyURl4/6J0FkJWLX6lCppWukIFlpVvVTh6q+hI8 vG0tN1Zc1g0+BTdy200/ugBQxMZaqFpk8jl321+zL8+92fXbj0/dRe23hv85pPcpN37K 7eX41u0KviAE6gmyG03wCcIqekDcWwNreKesXxQyRc/0e+VkzuGSSqub2JgvZfvrKFOS jQZiK+4IOaKkKXS99ScIJ4ESumI5V50b2pLn/rHfoqEf1T4QBTvCw8k3hrjyn7dlBy14 FsM0g4/DBGfuKQbG3pHRAwm2wmYXzMTIZcV4/nNXpbN5Fuh2pR+DSDiJmrHS68MEmGU5 SgZA==
X-Gm-Message-State: AOAM533GHvs7CCMh/j/RZ5+EPdNW0Wq3W+93fQNXxzqbZgi44X1LN07k VkVU1wEHlA67LQIEyzh7tHb7DV0sl37uTMRvYexLEw==
X-Google-Smtp-Source: ABdhPJyF5mix/bZQbRzs9XFCxpzTfqZOFlkE+JbKCzm1XXzWOxC26iQjlDdLfS7PrufC3DxiEEaMyg2811JPGLTvsjk=
X-Received: by 2002:a5d:43c4:: with SMTP id v4mr19088055wrr.426.1595856647086; Mon, 27 Jul 2020 06:30:47 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com>
In-Reply-To: <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 27 Jul 2020 09:30:35 -0400
Message-ID: <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000964cb705ab6c54b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/3OTuMSGxaAGFoTSCf0flAtW9jnQ>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 13:30:53 -0000

I'm concerned about this work happening outside the TLS working group.  For
example, the question of proper handling of TLS extensions is not addressed
at all in this draft, and has significant security and functionality
implications.  There are various other tricky protocol issues (e.g. version
negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start,
round-trip deadlock when buffers fill, ticket (non-)reuse, client
certificate linkability pre-TLS-1.3, implications of SAN scope of
synthesized certificates) that could arise and are going to be difficult to
get right in any other WG.

The title "TLS Proxy Best Practice" implies that it is possible to proxy
TLS correctly, and that this document is the main source for how to do it.
I think the TLS WG is the right place to make those judgments.  For the
OpSec group, I think a more appropriate draft would be something like "TLS
Interception Pitfalls", documenting the operational experience on failure
modes of TLS interception.

On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=
40cisco.com@dmarc.ietf.org> wrote:

> The document is not imposing any standards but rather provide guidelines
> for those implementing TLS proxies;  given that proxies will continue to
> exist I'm not sure why there is a belief that the IETF should ignore this.
>
> Warm regards, Nancy
>
> On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" <
> opsec-bounces@ietf.org on behalf of uri@ll.mit.edu> wrote:
>
>     I support Stephen and oppose adoption. IMHO, this is not a technology
> that IETF should standardize.
>
>
>     On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <
> tls-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>
>
>         I oppose adoption. While there could be some minor benefit
>         in documenting the uses and abuses seen when mitm'ing tls,
>         I doubt that the effort to ensure a balanced document is at
>         all worthwhile. The current draft is too far from what it'd
>         need to be to be adopted.
>
>         Send to ISE.
>
>         S.
>
>         On 23/07/2020 02:30, Jen Linkova wrote:
>         > One thing to add here: the chairs would like to hear active and
>         > explicit support of the adoption. So please speak up if you
> believe
>         > the draft is useful and the WG shall work on getting it
> published.
>         >
>         > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
>         > <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>         >>
>         >> Folks,
>         >>
>         >>
>         >>
>         >> This email begins a Call For Adoption on
> draft-wang-opsec-tls-proxy-bp.
>         >>
>         >>
>         >>
>         >> Please send comments to opsec@ietf.org by August 3, 2020.
>         >>
>         >>
>         >>
>         >>
>  Ron
>         >>
>         >>
>         >>
>         >>
>         >> Juniper Business Use Only
>         >>
>         >> _______________________________________________
>         >> OPSEC mailing list
>         >> OPSEC@ietf.org
>         >> https://www.ietf.org/mailman/listinfo/opsec
>         >
>         >
>         >
>         > --
>         > SY, Jen Linkova aka Furry
>         >
>         > _______________________________________________
>         > TLS mailing list
>         > TLS@ietf.org
>         > https://www.ietf.org/mailman/listinfo/tls
>         >
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>