Re: [Patient] [saag] Internet Draft posted as requested -
"Diego R. Lopez" <diego.r.lopez@telefonica.com> Tue, 19 December 2017 00:18 UTC
Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75406126C22; Mon, 18 Dec 2017 16:18:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kt1MvcnFXHPQ; Mon, 18 Dec 2017 16:18:54 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30105.outbound.protection.outlook.com [40.107.3.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E11A12422F; Mon, 18 Dec 2017 16:18:54 -0800 (PST)
Received: from AM5PR0602MB3251.eurprd06.prod.outlook.com (10.167.170.156) by AM5PR0602MB3249.eurprd06.prod.outlook.com (10.167.170.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Tue, 19 Dec 2017 00:18:51 +0000
Received: from AM5PR0602MB3251.eurprd06.prod.outlook.com ([fe80::5e9:e441:e61f:7696]) by AM5PR0602MB3251.eurprd06.prod.outlook.com ([fe80::5e9:e441:e61f:7696%13]) with mapi id 15.20.0323.018; Tue, 19 Dec 2017 00:18:51 +0000
From: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Brian Witten <brian_witten@symantec.com>, "patient@ietf.org" <patient@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [Patient] [saag] Internet Draft posted as requested -
Thread-Index: AQHTd42wukyhoX4twUmW0ABJZQSMiaNIPdsAgAGhsYA=
Date: Tue, 19 Dec 2017 00:18:51 +0000
Message-ID: <98E78B0A-0351-4702-98F5-62DAF2C125CD@telefonica.com>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com> <dfdb52ca-81ae-50b7-cd5f-e256b5cb047d@cs.tcd.ie> <AF4C62E0-61AB-45DB-B3E6-56AB67A1070A@telefonica.com> <d47e82af-5c6f-9be5-4226-4d6713701148@cs.tcd.ie>
In-Reply-To: <d47e82af-5c6f-9be5-4226-4d6713701148@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.8.0.171210
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-originating-ip: [83.42.130.160]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM5PR0602MB3249; 6:fCWufTc9rsNvzqUFs2xI84kIXariHS+VnypwrnuVuzWv1JTKMOWX0+PP5cwTl0OnStBKONOQHgpg5sQnAu0MNPc2AjasQ29y/WG6l8+ZV2LFy2SJwHPfDaQHY64CzgxgD349ncmnGXUccEE4qHIEgULl1N44A2VhSFHd97/qx3UuX6LP4ZreF0gLnyvdy+HiGKzsZq/6UOqIVM1pXcEkYQjXuHsSMfU3dl/lbMzEx1hIuXzbgiZGRSB4sU8eKHsys6jYhnfbggDx0Ut7X3QDcX7dyV58P0ZiDNZKULyN0QqBvWPSmu9r0Y32AcgMEVeun/dCwhjafWktdRLpTJS5oje5oXj5AJOe/OCvPsUtqGc=; 5:wGfn58HIVU+ry+8nSVoqkAgRo9b+bL20eYbR9T7MbyQ0zixL6aOCCpYrPpNmlwvLJyFMxpJ8UpxmFQtd95TOz0fVtCftmAXrOi3dXtoyC2jjgtHGlDcBlgQcpj0DPu7EyZVGusIlh9k7P+n1RL6xYnhdKGIeThIjdivA0NYtNPk=; 24:HixjhGwRKT2jQJTc+cqe64EPkaL0DwAJ6SkVMYAxlv6DjnSiWk7XPHyJt6alfFjPM6o8RaBwTIf0GEdzmt2Z5Hvn6VSYbeOLahPqfRGjOdg=; 7:6BqphXct4fX+88bnuQxuL/Cg99p+h+8umDIq4+aw1gL/vuN9GFEqXivGJL2akN6vSUkLVhxYCIMUbGjKgjPyRcckXAFL+EDRsjkO8joQZMaqXfHLC9rTCakr7C0XmVPVXUaBzpYsi8HT/56LzRDRVQuFJuvlyea97qHnL5O6aK0im3XSS1T0xj6se7jt2k9YgPLBecijVdQskdG1I6mgtl3pYmtHGJ/rbO2GRF6koLAzM6eLyMa1oMTN6uohDXrg
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: aa744c2e-d83a-4500-54c7-08d546761537
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603307); SRVR:AM5PR0602MB3249;
x-ms-traffictypediagnostic: AM5PR0602MB3249:
x-microsoft-antispam-prvs: <AM5PR0602MB3249E7344046D97B126C9E9BDF0F0@AM5PR0602MB3249.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(40392960112811)(192374486261705)(128460861657000)(81160342030619);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3231023)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123564025)(20161123558100)(20161123555025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(6072148)(201708071742011); SRVR:AM5PR0602MB3249; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:AM5PR0602MB3249;
x-forefront-prvs: 052670E5A4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(346002)(396003)(376002)(252514010)(24454002)(199004)(189003)(25724002)(40134004)(229853002)(2900100001)(966005)(82746002)(6486002)(93886005)(2906002)(99286004)(83716003)(316002)(6436002)(76176011)(2201001)(478600001)(83506002)(25786009)(8936002)(86362001)(58126008)(2950100002)(110136005)(6512007)(97736004)(3280700002)(5660300001)(8676002)(36756003)(6306002)(106356001)(7736002)(105586002)(14454004)(68736007)(81156014)(81166006)(53546011)(305945005)(66066001)(786003)(6246003)(45080400002)(5250100002)(6506007)(3660700001)(59450400001)(102836003)(3846002)(53936002)(6116002)(33656002)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0602MB3249; H:AM5PR0602MB3251.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <9544009794314C44958234F7869E5534@eurprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aa744c2e-d83a-4500-54c7-08d546761537
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2017 00:18:51.7888 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0602MB3249
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/07E3HClqanceJqpXJjbA6QcHZZQ>
Subject: Re: [Patient] [saag] Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 00:18:58 -0000
Hi Stephen, I agree we should not bore the list (and ourselves) repeating the disagreements we have. Those are the kind of discussions for the third or fourth beers... Just let me remark a couple of things I have seen when reviewing today's messages that I think are worth noting: 1) You do not need to break TLS or HTTPS, as there are potential alternatives that could be applicable, depending on the case. For IoT environments I foresee multiparty security could be a reasonable choice. For personal environments, I think Paul's idea of decrypt-and-bless could be something interesting to explore. And replying to Melinda, those proposals do not imply sharing session keys (though there is a draft on enterprise datacenters arguing for a related approach that I think has a solid case behind...) In summary: there are options on the table that deserve some attention, and do not imply breaking TLS 2) What I had in mind when replying to you was not arbitrary routers, or WiFi Aps, or any other network box being authorized to inspect encrypted traffic. I foresee a single (or very few) edge devices that are properly authenticated, authorized (in a PoC we have we even attest their software...) using the same kind of TTPs you mention. Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D https://www.linkedin.com/in/dr2lopez/ e-mail: diego.r.lopez@telefonica.com Tel: +34 913 129 041 Mobile: +34 682 051 091 ---------------------------------- On 18/12/2017, 01:23, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: Diego, I generally disagree with some of your earlier points where you disagree with me:-) I do agree that there are hard problems with updates and bugs in general for endpoints and devices in the middle. I don't agree that breaking TLS or HTTPs is a viable way to improve that, It'd make it worse. But rather than repeat things I've said to you in person before, for this threat, maybe it is work saying that the proponent here claimed to be interested in a new multiparty security protocol (in the mailing list description) which could have been a worthy, if unlikely to succeed endeavour. In Singapore, I concluded that they are primarily or maybe only interested in the web as used by people and in mitm'ing that. So personally I think the separate mailing list would be better closed down as it seems to have been started on the basis of some confusion wrt folks' goals. On 17/12/17 23:19, Diego R. Lopez wrote: > > I am afraid I don’t follow you here… What do you mean by “random > name/address that claims to be “good””? Given there are appropriate > roots of trust, how is this “random” trust different from the > certificate verification process in TLS? The difference in the above context is the the proponents here want TTPs that tell lies all the time, and that are so wide-spread and not well-known that they appear to the endpoints indistinguishable from a random router. The public Web PKI TTPs we have are far from perfect but at least they don't do that so far. There also appears to be some magical thinking that allows some proponents to say that they think these new lies can benefit the user and give the user more control. I have no clue how that can reflect a genuine technical opinion. S. ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
- [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] [EXT] Internet Draft posted as requ… Mingliang Pei
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] Internet Draft posted as requested … Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Peter Gutmann
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] Internet Draft posted as requested - Paul Wouters
- Re: [Patient] [EXT] Re: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Black, David
- Re: [Patient] [EXT] RE: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Mark Kennedy
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [saag] Internet Draft posted as req… Roland Zink
- Re: [Patient] Internet Draft posted as requested - Roland Zink
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Stephen Farrell
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Peter Gutmann
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Benjamin Kaduk
- Re: [Patient] the IETF participant choice Eggert, Lars
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Kathleen Moriarty