IETF Logo Mail Archive

Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

"Salz, Rich" <rsalz@akamai.com> Thu, 30 July 2020 01:26 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C763A0B5D; Wed, 29 Jul 2020 18:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9J77m6gZEzZM; Wed, 29 Jul 2020 18:26:09 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D02393A0B5C; Wed, 29 Jul 2020 18:26:08 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 06U1OFJl017886; Thu, 30 Jul 2020 02:26:03 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=aMmzjix2Fc69wun2PFfrPh0ZkO2CBRsEopiRZBZnXr4=; b=ItmEZAzcVr+jWbL+bu81WvcMUFCthuNGMsWYw3M9vJ7ufolNWcKHYkciCnmc6nXD0Q9m AzK9uKc9GD+5KDI8l1XhqrNqJjXuG97yIzdWrhU2nU8xcs+l4tfTntMNr/Blqo4SljGa TeW6nVJ07K7ZTtLsRa+BW0iBZoe1+iN2AZrb1Po0c98kxTasLbTKpzWIP8d1zwgbGkSv 0MBvKgkosgFl+gIV9Zml6Mb2GRo9e34wtRrdl0tW1RNfjGlext5wY+F5Dri0nYgkMV2B /Fg1crQ4kr9SgrLCXHy089Xj3O447j4uVVy5i5XJ00CJ1/wEZPNZ2Z9FHhwDC7GZVDt1 Vg==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 32gc0yc50w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 30 Jul 2020 02:26:03 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 06U16QVY015906; Wed, 29 Jul 2020 21:26:02 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.114]) by prod-mail-ppoint3.akamai.com with ESMTP id 32j460uvv1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 29 Jul 2020 21:26:02 -0400
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.165.119) by ustx2ex-dag1mb3.msg.corp.akamai.com (172.27.165.121) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 29 Jul 2020 20:26:01 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.165.119]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.165.119]) with mapi id 15.00.1497.006; Wed, 29 Jul 2020 20:26:01 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Eric Rescorla <ekr@rtfm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: Ron Bonica <rbonica@juniper.net>, OPSEC <opsec@ietf.org>, Nick Harper <nharper=40google.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>, "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>
Thread-Topic: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Thread-Index: AQHWZShvBNRDUlrsVEq2Ye+Fh4dCL6kd+OuAgAGExACAAAtGgIAACFiAgAAC1YCAAAf1AP//yx8A
Date: Thu, 30 Jul 2020 01:26:01 +0000
Message-ID: <3AC7B7C6-E616-40DA-95A3-A8DE7927E17F@akamai.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com> <34226646-93F3-4592-A972-A55B160D5B78@cisco.com> <CACdeXi+7oQgcg=-vFqxLnEFtg__6AehWXyE5ey8CBFiw9Vh8PQ@mail.gmail.com> <F40B9423-B0D5-4993-8A3D-D875C62951E4@cisco.com> <9e413fb1-da38-6a1f-8fca-a0dd5a6b6ebd@cs.tcd.ie> <CABcZeBNyFBaHfKf5JGXb7BBc+pcwkLoSx2wYA63AZs0O-WRtug@mail.gmail.com> <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie> <CABcZeBOfVxoyds+vntEs+7ttrVkd2ppEvX+TdshS=AxA3kUQ7Q@mail.gmail.com>
In-Reply-To: <CABcZeBOfVxoyds+vntEs+7ttrVkd2ppEvX+TdshS=AxA3kUQ7Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.42.132]
Content-Type: multipart/alternative; boundary="_000_3AC7B7C6E61640DA95A3A8DE7927E17Fakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-29_18:2020-07-29, 2020-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 adultscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007300004
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-29_18:2020-07-29, 2020-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 malwarescore=0 bulkscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 suspectscore=0 adultscore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007300007
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/ATZ4KMEcYqnJSEhqR3d1VaJLOwE>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 01:26:11 -0000

>I would say rather that those analyses consider them as protocol endpoints and address the two individual connections terminated by the proxy and have nothing to say about the composition of those two connections.

I think that some of those opposed are conflating the general “end to end” argument with what the TLS protocol RFC says, as ekr is saying.

Conformance isn’t the issue, really, it’s ickiness.  It’s one thing if an enterprise install intermediaries to monitor the outbound traffic on its machines, it’s another if a national-scale attacker does surreptitiously, and it’s various other things along those spectrums. We’d all like a clear bright line to say YES here, NO there, and WELL MAYBE IF YOU MUST over there, but that’s not possible.

v2.23.0 | Report a Bug | By Email