Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact
Warren Kumari <warren@kumari.net> Wed, 04 March 2020 15:35 UTC
Return-Path: <warren@kumari.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B1523A1184 for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 07:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zamJsNf7P85q for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 07:35:28 -0800 (PST)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB1573A1189 for <opsec@ietf.org>; Wed, 4 Mar 2020 07:35:26 -0800 (PST)
Received: by mail-qv1-xf31.google.com with SMTP id o18so965871qvf.1 for <opsec@ietf.org>; Wed, 04 Mar 2020 07:35:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KEWGZPTylDX71qnC+g1QMNPfv+Jn18LrBb7cCKwakS4=; b=UKLheEMESNlqsBpwlyv7gDm5g7k47FRybjTxPnnXwU+saVQD0TJy+FoT9cEldZhnQa bL+zR7/FVYeeqWUFJUv1jgoNvIBRteYITTEC9SRfBTH2ZVuiCpTBIjomsJIli/N8HfVX 5p+/rgQ/6G/pc4qisGhe9/gV3NccgvHOEOVzrrmq+zxSdZ6q/UGqAWC48OpXBYtaa2tW 1fDetKRdvzL3qRGUyGdLOPSxjWv/tUd1FT+o012yDVLIO+3N3BuFp6zKpuuFltaKpalO N5XMlttmpJt7EUqywX7yG/xtMAnWckmtWuohAVSJi08nesuHfuYiaoe8dNe9gUhxSgX/ ELsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KEWGZPTylDX71qnC+g1QMNPfv+Jn18LrBb7cCKwakS4=; b=qL4eNwKhVyNePmKtZpe+jtxHAM96bLHjJFErRuPL1oPJeJjkDElLI+i7bTxHI4rWMU 1GcQ2T9peUhpTOpbuf0nOD2RE90siF6Hhvi4x7aLIwVtjS/5JCgTCi+Q0mDdV5wHXCkH QAbEthvvG6wOEJPsOEw2977R5iXndotxtkxO7BFjg5BJUmx1D0En1MxizmbqYY853sbl kC+y8II/4XWYuqwuWz1mHEYNC03PvxziAv1mUYNxMIZ8LtP0z28XBlxXuxyGCE6DhzI5 v7pU9vpIQ3LKvZbgOYvx0RHpXAd1y62yKum8aZ1jkGsjN8/CBnZxKZnQHLPIt6SKYk5R fKqg==
X-Gm-Message-State: ANhLgQ0GQV0vcQ+p5XFZJEWAHBz65BoCTHBfpdWp/ICREypJgfrRfRjq o7X8dLO7r6o8qRy/0XIoq43w3RCpYMzhkxkDl5Z6gw==
X-Google-Smtp-Source: ADFU+vuLogtZanp06PYGFtVzUYIETXTIwdulZxKxNHaB7Ck86RQHIyohUyqIPAdacc43JfoL71RIKq9NA72AS9pXGY0=
X-Received: by 2002:ad4:59d1:: with SMTP id el17mr2564047qvb.29.1583336120265; Wed, 04 Mar 2020 07:35:20 -0800 (PST)
MIME-Version: 1.0
References: <DC776DEE-D5DC-46CD-BDBE-114990494486@cisco.com>
In-Reply-To: <DC776DEE-D5DC-46CD-BDBE-114990494486@cisco.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 04 Mar 2020 10:34:43 -0500
Message-ID: <CAHw9_i+rArSNDds7TTOVs4dzXwDYCCa2auHUSR8HK4=cH4dYWA@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/6NiImtrcCoCfkZVaGKfJuQN5yUg>
Subject: Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 15:35:32 -0000
On Tue, Mar 3, 2020 at 9:18 PM Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org> wrote: > > Hello OPSEC participants, > > > > Given the trends to improve on security and privacy, we thought it important to also > document how network security solutions are used and how they interact with TLS. > > We have submitted https://datatracker.ietf.org/doc/draft-camwinget-tls-ns-impact/ > and believe it is appropriate to discuss in this working group. Thank you for this document -- I found it to be nicely readable and understandable -- other than one major questions / point. I'm sure I'm going to mess up the terminology horribly here - apologies in advance... Section 3: " To achieve this, a TLS Proxy must be able to present a valid X.509 certificate to the TLS client to appear as a valid TLS Server; similarly, the client must be able to validate the X.509 certificate using the appropriate trust anchor for that TLS connection." I'm seen at least 2 deployment types for this sort of inspection - the first is where a client is informed that there is a proxy server that they need to send their traffic through -- i.e the system or browser is configured with a proxy server (OS X called this "Secure Web Proxy"), and is configured with something like https://proxy.example.com:8080. The second is a security appliance which does MiTM type stuff, and the client installs a corporate CA certificate. These are two very very different deployment scenarios, and the "valid" part in "valid X.509 certificate" have very different meanings[0]. I think that it would be useful to clearly outline these two methods of watching "encrypted" user traffic, and clarify which one(s) you are talking about. The sentence: "This TLS Proxy is a transparent hop on the packet path; and where necessary, preserves the client's and server's original IP address and the intended source and destination TCP ports." implies only the second, but I think it would be useful to be much clearer in the introduction... W [0]: Yup, technically they are both valid, but (at least in my opinion) the second is much less so :-P > > > > Warm regards, Nancy (and my co-authors) > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [OPSEC] Request comments and discussion for draft… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] Request comments and discussion for d… Schönwälder, Jürgen
- Re: [OPSEC] Request comments and discussion for d… Warren Kumari
- Re: [OPSEC] Request comments and discussion for d… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] Request comments and discussion for d… Eric Wang (ejwang)