Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Roelof duToit <r@nerd.ninja> Mon, 27 July 2020 19:10 UTC

Return-Path: <r@nerd.ninja>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F0B3A0B20; Mon, 27 Jul 2020 12:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nerd.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZSj44J968Kh; Mon, 27 Jul 2020 12:10:11 -0700 (PDT)
Received: from sender4-of-o56.zoho.com (sender4-of-o56.zoho.com [136.143.188.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4F8E3A0B1B; Mon, 27 Jul 2020 12:10:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595877006; cv=none; d=zohomail.com; s=zohoarc; b=S7LtaFbemdYLS80yoI9wtLwHpaixLjmosJqzyH/QPYx+SjvWFjKp6DAJvF9VaXwXX2kwF19/rDLrkeOX8OlmzyDNggsCBjxa36Z7uFb1qU9z2YyUVkYfnnCnJN4/RXcrp+/TdPVbAgOZ3Uv2zvG5SjgZllVuanxnm7dPFy+jYqA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1595877006; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=hBjSPHu6BCu9ENbjTPpscKRBYl7pt1TPKb5A9H0SCHo=; b=VntLRT55DWA2Vp2E+mYK1O0AqeVVRYv3fKepIJqi5i324+CK4Uq2CZUhZiVMH9yzc0pQbWjrFsxo7b2HtDxz3BGaJgMZ+G/Dfa52wCqEqhwMm0Fc/v6401B+usWEEvpVDBaUM8s9V9B2agMXzMVPxXUMVrAeVAhPvzE8U6x/U3g=
ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=nerd.ninja; spf=pass smtp.mailfrom=r@nerd.ninja; dmarc=pass header.from=<r@nerd.ninja> header.from=<r@nerd.ninja>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1595877006; s=zoho; d=nerd.ninja; i=r@nerd.ninja; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References; bh=hBjSPHu6BCu9ENbjTPpscKRBYl7pt1TPKb5A9H0SCHo=; b=QssZ9KPE/P6bay0rVLgFY5tDCkm8IpjivWdxrhuI180kTgrEallhLsNqEvZBsjf5 9xZI+njlEXqio6wuE3kDRgrCzyq9i4s/zE/4R5+brObJslHdBJFiksuDBZ9TcaR14mA /JIMPkL2d5b7RBfJpLqmNLO9120LAxDJb1CMbR74=
Received: from roelofs-mbp.lan (dynamic-acs-24-112-241-136.zoominternet.net [24.112.241.136]) by mx.zohomail.com with SMTPS id 1595877001615625.2498653877881; Mon, 27 Jul 2020 12:10:01 -0700 (PDT)
From: Roelof duToit <r@nerd.ninja>
Message-Id: <54986B60-E12B-4E83-AD7B-FC8F2B6F372B@nerd.ninja>
Content-Type: multipart/alternative; boundary="Apple-Mail=_16E42D4D-DD46-4B60-99FD-9472F92F1F57"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 27 Jul 2020 15:09:59 -0400
In-Reply-To: <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
Cc: Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com> <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/YNyU5VPvKRF2Xng5L6iMsriAnIc>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 19:10:13 -0000

As co-author I support adoption of the draft and appreciate the feedback.

The authors agreed at the time that the OPSEC WG charter would better match our intention of documenting the BCP for TLS proxies given that the TLS WG charter places more of an emphasis on the TLS protocol.  Having said that, we do also agree that the TLS WG should be involved.  The recommendation from the TLS WG chairs was to continue in OPSEC and to cc the TLS WG.

--Roelof


> On Jul 27, 2020, at 9:30 AM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> 
> I'm concerned about this work happening outside the TLS working group.  For example, the question of proper handling of TLS extensions is not addressed at all in this draft, and has significant security and functionality implications.  There are various other tricky protocol issues (e.g. version negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start, round-trip deadlock when buffers fill, ticket (non-)reuse, client certificate linkability pre-TLS-1.3, implications of SAN scope of synthesized certificates) that could arise and are going to be difficult to get right in any other WG.
> 
> The title "TLS Proxy Best Practice" implies that it is possible to proxy TLS correctly, and that this document is the main source for how to do it.  I think the TLS WG is the right place to make those judgments..  For the OpSec group, I think a more appropriate draft would be something like "TLS Interception Pitfalls", documenting the operational experience on failure modes of TLS interception.
> 
> On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org <mailto:40cisco.com@dmarc.ietf.org>> wrote:
> The document is not imposing any standards but rather provide guidelines for those implementing TLS proxies;  given that proxies will continue to exist I'm not sure why there is a belief that the IETF should ignore this.
> 
> Warm regards, Nancy
> 
> On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" <opsec-bounces@ietf.org <mailto:opsec-bounces@ietf.org> on behalf of uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
> 
>     I support Stephen and oppose adoption. IMHO, this is not a technology that IETF should standardize.
> 
> 
>     On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <tls-bounces@ietf.org <mailto:tls-bounces@ietf.org> on behalf of stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
> 
> 
>         I oppose adoption. While there could be some minor benefit
>         in documenting the uses and abuses seen when mitm'ing tls,
>         I doubt that the effort to ensure a balanced document is at
>         all worthwhile. The current draft is too far from what it'd
>         need to be to be adopted.
> 
>         Send to ISE.
> 
>         S.
> 
>         On 23/07/2020 02:30, Jen Linkova wrote:
>         > One thing to add here: the chairs would like to hear active and
>         > explicit support of the adoption. So please speak up if you believe
>         > the draft is useful and the WG shall work on getting it published.
>         > 
>         > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
>         > <rbonica=40juniper.net@dmarc.ietf.org <mailto:40juniper.net@dmarc.ietf.org>> wrote:
>         >>
>         >> Folks,
>         >>
>         >>
>         >>
>         >> This email begins a Call For Adoption on draft-wang-opsec-tls-proxy-bp.
>         >>
>         >>
>         >>
>         >> Please send comments to opsec@ietf.org <mailto:opsec@ietf.org> by August 3, 2020.
>         >>
>         >>
>         >>
>         >>                                                                 Ron
>         >>
>         >>
>         >>
>         >>
>         >> Juniper Business Use Only
>         >>
>         >> _______________________________________________
>         >> OPSEC mailing list
>         >> OPSEC@ietf.org <mailto:OPSEC@ietf.org>
>         >> https://www.ietf.org/mailman/listinfo/opsec <https://www.ietf.org/mailman/listinfo/opsec>
>         > 
>         > 
>         > 
>         > --
>         > SY, Jen Linkova aka Furry
>         > 
>         > _______________________________________________
>         > TLS mailing list
>         > TLS@ietf.org <mailto:TLS@ietf.org>
>         > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
>         > 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls