Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Roelof duToit <r@nerd.ninja> Tue, 28 July 2020 02:44 UTC
Return-Path: <r@nerd.ninja>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EE603A0B0C; Mon, 27 Jul 2020 19:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nerd.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-Hv4JN-6YLN; Mon, 27 Jul 2020 19:44:57 -0700 (PDT)
Received: from sender4-of-o56.zoho.com (sender4-of-o56.zoho.com [136.143.188.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF41D3A0B0D; Mon, 27 Jul 2020 19:44:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595904295; cv=none; d=zohomail.com; s=zohoarc; b=PJg9IM7XO0+3T2inll9Yepa6PeykuAXxtj/KLS8oD7xAox1Pu2UHqBPbDHAJwZSHlQXa4tNofpov5Jc5CkLUB5xxbiuhHo0xNOF6rD29vMRKhDKe6BTHmwhuFmpfYNUqkNVGcef718ebbp6gFAICdVXL+aczdCorotlXY1woNIg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1595904295; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=6MiFbXYkD8/O4EGF1xV5M3pnh5NKxOau3vfpVlFKMEQ=; b=ATV6Opn9240d11DwQu358Rf8OHiDJamFGEM9ypPXWAiyaDbsE1GKtY3XK6VNEt9waBf1/xFfeSCjKEo44ObWOqjNjZ5z/OJ7qq72s4aY1MK6XNf9eSSTevzwblPnjz62byMIOYHy6dThaybe6UeGfWO443BXVCMV0kAtst2nLC4=
ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=nerd.ninja; spf=pass smtp.mailfrom=r@nerd.ninja; dmarc=pass header.from=<r@nerd.ninja> header.from=<r@nerd.ninja>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1595904295; s=zoho; d=nerd.ninja; i=r@nerd.ninja; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References; bh=6MiFbXYkD8/O4EGF1xV5M3pnh5NKxOau3vfpVlFKMEQ=; b=HkHBzc1q4lcsBtpWoQkUjoV48MTYswqS4zxqLO+fT2atZnWJ7A1BERitBdRCSEWn KrK81UCZ3ccpczHWq3qO1gyGcBESK4SYng69NRy8MhVvbik/Ra3iQ4s/KZJ2yMlLK3R QZxEnRWoWK3NQ01dz7uvMrFZjKYFI1HISO9/sdjM=
Received: from roelofs-mbp.lan (dynamic-acs-24-112-241-136.zoominternet.net [24.112.241.136]) by mx.zohomail.com with SMTPS id 1595904289523893.7787461858186; Mon, 27 Jul 2020 19:44:49 -0700 (PDT)
From: Roelof duToit <r@nerd.ninja>
Message-Id: <FB7D596B-5A87-4814-A4CD-33AA1A0F733B@nerd.ninja>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5314D569-56FB-43AE-9030-0F17B22A7E2F"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 27 Jul 2020 22:44:47 -0400
In-Reply-To: <ff20547b-eef3-34b6-802a-79f6289ab962@cs.tcd.ie>
Cc: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, OPSEC <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <CAN40gSvq4_g10EvsReRLgxrqqfXVp_A-XB90T8rDVTTZ0=rV-w@mail.gmail.com> <411590AE-EEA6-41EE-B0C8-CC1E0C05F1CE@akamai.com> <25CD4A36-5BE5-4B70-ACA7-04494C017D9D@cisco.com> <ff20547b-eef3-34b6-802a-79f6289ab962@cs.tcd.ie>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/FrfVaMqYY-HEKUZmTohUBk0eC8g>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 02:44:59 -0000
RFC 8446, section 9.3 states: Note that TLS's protocol requirements and security analysis only apply to the two connections separately. Safely deploying a TLS terminator requires additional security considerations which are beyond the scope of this document. The context of that paragraph is "A middlebox which terminates a TLS connection" and it implies that there are undocumented security considerations. The tls-proxy-bp draft is a contribution towards that goal and we think it is worth the effort. --Roelof > On Jul 27, 2020, at 8:35 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > > On 28/07/2020 00:48, Eric Wang (ejwang) wrote: >> We felt the lack of a >> baseline bcp is going to hurt the security posture of TLS rather than >> driving the intermediary away. > > That makes no sense to me. > > Adopting this draft will require eliminating all such > gibberish and instead finding text that can garner IETF > consensus. I really do not think that effort is worth > the significant cost for anyone involved, pro-MITM or > not. > > S. > > <0x5AB2FAF17B172BEA.asc>_______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] Call For Adoption: draft-wang-opsec-tls-p… Ron Bonica
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Jen Linkova
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Tobias Mayer (tmayer)
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoptio… Andrei Popov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoptio… Roelof duToit
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… tom petch
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Paul Brears
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Nick Harper
- Re: [OPSEC] Call For Adoption: draft-wang-opsec-t… Eric Wang (ejwang)
- Re: [OPSEC] [TLS] Call For Adoption: draft-wang-o… Rob Sayre