Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

"Eric Wang (ejwang)" <ejwang@cisco.com> Mon, 27 July 2020 23:48 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B8F3A0475; Mon, 27 Jul 2020 16:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CUdJzx4q; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vwuA6ywe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laCC-6ni-8tO; Mon, 27 Jul 2020 16:48:50 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 961563A045B; Mon, 27 Jul 2020 16:48:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6636; q=dns/txt; s=iport; t=1595893730; x=1597103330; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=pwohvGD9IWMSV52fL47hvxgr51Q3GW0FI9D/+WN6LT0=; b=CUdJzx4qiu+0XfDmhw+CqPHRsk7T/+67kAQtTZ6G2oODvn1MY1G735UO ErFR+kxjpe7O5N8e5LK/gbFcgCEJmj3hUlmpPQ0I1m5Sy4qzgWWgLCPob i/wV6YHE9fUmbdG/YrbgL+yw1sj42dzlQe33PMx9SAP9e7tfk8yCDZSM3 s=;
IronPort-PHdr: =?us-ascii?q?9a23=3A7hGHthH0oK8XBcUM7nXdY51GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e401gObUYDS8fkCiufKvebnQ2NTqZqCsXVXdptKWl?= =?us-ascii?q?dFjMgNhAUvDYaDDlGzN//laSE2XaEgHF9o9n22Kw5ZTcD5YVCBrni79zVUGx?= =?us-ascii?q?jjO0xyPOumUoLXht68gua1/ZCbag5UhT27NLV1Khj+rQjYusQMx4V4LaNkwR?= =?us-ascii?q?rSqXwOcONTlm4=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CoAAA6Zx9f/4YNJK1gHQEBAQEJARI?= =?us-ascii?q?BBQUBQIE3BwELAYEiL1EHb1gvLAqHcAOhTIRsgS6BJQNVCwEBAQwBARgBCgo?= =?us-ascii?q?CBAEBhEwCgicCJDUIDgIDAQELAQEFAQEBAgEGBG2FXAyFcgIEAQEQCyMBASw?= =?us-ascii?q?LAQ8CAQg/BycLFBECBA4FIoMEAYF+TQMtAQEOpGQCgTmIYXSBNIMBAQEFhS8?= =?us-ascii?q?Ygg4DBoE4AYJshgyEBBqCAIE4HIJNPoJcAQECggqDHIItkiMBhxWLUpBjCoJ?= =?us-ascii?q?emW4DHp9krVqDVgIEAgQFAg4BAQWBVQE3gVdwFTsqAYI+PhIXAg2OHoNxhRS?= =?us-ascii?q?FQnQCNQIGCAEBAwl8jgIBgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.75,404,1589241600"; d="scan'208,217";a="518619441"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Jul 2020 23:48:49 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 06RNmn6X019318 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 27 Jul 2020 23:48:49 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 27 Jul 2020 18:48:49 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 27 Jul 2020 18:48:49 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 27 Jul 2020 19:48:48 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jjwYLTgRK30Upm7/AqyV1VfR8+OTwQj+PkmOGw+eBwD6oi4Ce9fLOSBxkznJZFio3e9q40ZE0iaM6DiOqMKyWv9mMbkPFMXap+ZrUwgV39OOWv/EVndU0lg4EoohIQ89ml2iO1xEjNxfWAOZD8x42dzzQqO+c0cX0EDAHJzMSjFBRz3cIsl2OoJ72eqTiezE6iSbLZXcH6Fvwy3mcGBvXtv5CQ5K9fPDnVRBxuEq98OzviZKzjYkMaBg4QgkZbd5Hxeqz2NRfGmruE6DDQ2zA5Y0fwf8Nhx8Y+0K72YBWRI5nxXsV5H1rBTdCXo2YuQHh4Xg7LnpRkXrxA/Wa8A53A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gb4mzWzF+nBKYWgFwM8QQOyBJhSJ+PF3Ut2FkwQXglI=; b=CIcvKL4a5kinqCoXBm4UxRykvrAb+mgHQ5ejxiIBMF4uvV4vmGQF6Uuqt+ugBN2h0/q0tbRPu37VMLNaQxritJPthy4lr9OmzJ94PwfDET+nnTMAeFzw48CXy8PZQB/vfHOFi7lGL5ndwAohjW5lHKfiBbye2PGXTmb3XnP6gNf1HT7wpVzJELrGdz3wXUAP7kvxkwvhmsaxqZDlHS9vuE4vJQueBc3bZGnLHps3qo6fwMgdRPNWDzulIjOqVmbxyZ62x+8i8E7toW2jNlm/6aX5QJbcd+7/kajJg1GgRJ5I0Z3FsDJ3PL7sJ74sIsYCUX7/wM3eLEuEpuB2I8EWcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gb4mzWzF+nBKYWgFwM8QQOyBJhSJ+PF3Ut2FkwQXglI=; b=vwuA6ywe2vJp2XYdbT7PGhy78kMnw+fEP8f+ISJC/BgoLAWBXUM2lVXhD4dV+QATE/Dm1pxvxIeo4xBAbw+q5/ndOPY4nGwi7uLRGsqgptTMcwsNeU89175N9IcRnrOliwDVd73BpZxPdf/o9ouOul3pPQ8qlRaFvSN1MYWl0Qk=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BYAPR11MB3781.namprd11.prod.outlook.com (2603:10b6:a03:b1::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.20; Mon, 27 Jul 2020 23:48:48 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870%6]) with mapi id 15.20.3216.033; Mon, 27 Jul 2020 23:48:48 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
CC: Ira McDonald <blueroofmusic@gmail.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, OPSEC <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Thread-Index: AQHWZBBX3s7yu2FQsE+4XY6AWPSf36kbWk4AgAAC3gCAALuiAA==
Date: Mon, 27 Jul 2020 23:48:47 +0000
Message-ID: <25CD4A36-5BE5-4B70-ACA7-04494C017D9D@cisco.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <CAN40gSvq4_g10EvsReRLgxrqqfXVp_A-XB90T8rDVTTZ0=rV-w@mail.gmail.com> <411590AE-EEA6-41EE-B0C8-CC1E0C05F1CE@akamai.com>
In-Reply-To: <411590AE-EEA6-41EE-B0C8-CC1E0C05F1CE@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.15)
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [171.68.244.70]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e832567-1ba5-4984-c304-08d832879b61
x-ms-traffictypediagnostic: BYAPR11MB3781:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB37815B0FB9404DB5AE6D15B0D0720@BYAPR11MB3781.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IXWPdijTWCKJGfjr7wURldzMyUbRruy/q6D73mAG8LmKnBUjuGBRWYRUnzlZhNl3m4fPLbezk88memQg6eV/Go2sIgjeEx+IFDFdTpEmKziZKTCd/Oymmc9d3aWdUjzfbrgh4rANVM6Z+HZapiOQEDfzY5SZ+Jk6SkAJDpG/JzkrXrWc5MwYByTtDPU5M9Fe2Nv4gRB8EkDPKNa4DgJPYexrMxstSyTPL6Yn3CGHi1m8x9xEMsLq4rxFWccXihcc/o9EjIktom74RWONpaaaNyvd3SG/6m+iiWDUNg7J9UKBoXy/8+VZVzqrRAW/q7vtO+vUgCn7TkBbrGPXYuKYxxA31ar/euDUd0hx2CNOP80e7bosmc4i75/Q5BwGGjGkBkPboxUo6Iar3Zog4s/Qug==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2789.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(136003)(376002)(346002)(396003)(64756008)(86362001)(36756003)(76116006)(5660300002)(2616005)(66476007)(71200400001)(66446008)(66556008)(91956017)(8936002)(478600001)(4744005)(6486002)(66946007)(2906002)(166002)(53546011)(316002)(83380400001)(8676002)(6506007)(6512007)(966005)(26005)(186003)(54906003)(33656002)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: UZmJF1TjNHlhuO/4SUFCvz7DOpxjHhBcdLzD5SrSqiA665rrtgRwlVc4Tzd4VveQjOJ1tdw/iGhT3K92Lc9lytr7AndYetoaN7r1fRH3qdWFdUoWTC1dUY1S4XuTj+s6qWzZ7dQHumnyg40i+jKTu4QBGzACqkRpc8sBfD0XLEGz1gVHg6/XKJ6Ke6MWEWrBmDzxWMHtBnrz0Nlz2ZTNR+cZNeaLzOOX6d5WRXHQQwxwnALWceSKHw+11rk8qiZLDGcfy34pn3FVHI317bcni1CM4XJUe6XdVU7dYQtH1dxh7GGJdqh965NWjHJJ08mhQjCQAP/pycOlLHZWQEitZaCu68T3b7ZIRyjuEGdgJzY27MpA2EMjPJzUkbnovJRFYCBsCqiTJmHeLE9uiGaV//CHEobMMHjujP1sFzKEjJZazuwIf9h3ZEymV3KBkXABpF7oU3lqC3CY6XV2PkQvL6O5Cb7hHzG12/fURzT29Ug=
Content-Type: multipart/alternative; boundary="_000_25CD4A365BE54B70ACA704494C017D9Dciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2789.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e832567-1ba5-4984-c304-08d832879b61
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2020 23:48:47.9135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uc0iX2zDzktFt6+Jwj8j49gjtvnVTC9UnWM1M5LlLgnzLMXwjsdcJ7KKwHk8mLfL3lUVem0ed9hhkZPeAJzxvg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3781
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/qt1adueJMx_bZL6PiQtOiHpABQo>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 23:48:54 -0000

Thanks you Rich.  Obviously I support the adoption as one of the authors. But more importantly, the reality of growing TLS proxy was the driver for starting the draft.  That has been a sidecar with the progression of TLS and its wide deployment.  We felt the lack of a baseline bcp is going to hurt the security posture of TLS rather than driving the intermediary away.

Best,
-Eric


On Jul 27, 2020, at 5:37 AM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:rsalz=40akamai.com@dmarc.ietf.org>> wrote:

Not adopting this seems to be ignoring reality. There are places which use TLS intermediaries. Are those users not welcome here?

I support adoption.
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec