IETF Logo Mail Archive

Re: [Patient] [EXT] Re: Slides from the PATIENT meeting in Singapore

Brian Witten <brian_witten@symantec.com> Thu, 16 November 2017 04:02 UTC

Return-Path: <brian_witten@symantec.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB7A127010 for <patient@ietfa.amsl.com>; Wed, 15 Nov 2017 20:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWFM_bxyKa8m for <patient@ietfa.amsl.com>; Wed, 15 Nov 2017 20:02:50 -0800 (PST)
Received: from tussmtoutape01.symantec.com (Tussmtoutape01.symantec.com [155.64.38.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3975124BE8 for <patient@ietf.org>; Wed, 15 Nov 2017 20:02:49 -0800 (PST)
Received: from tussmtmtaapi02.symc.symantec.com (tus3-f5-symc-ext-prd-snat1.net.symantec.com [10.44.130.1]) by tussmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id A3.4D.29100.9ED0D0A5; Thu, 16 Nov 2017 04:02:49 +0000 (GMT)
X-AuditID: 0a2c7e31-4271e9c0000171ac-e3-5a0d0de96928
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (tus3-f5-symc-ext-prd-snat8.net.symantec.com [10.44.130.8]) by tussmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id 75.1A.04468.9ED0D0A5; Thu, 16 Nov 2017 04:02:49 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 15 Nov 2017 20:02:49 -0800
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (10.44.128.1) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Wed, 15 Nov 2017 20:02:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wGPKsNCHsshBGanuZ71XXQfpFj5QB9wfgCtvpJW03I8=; b=DaQWgDTSLBlvn1RrdUqgRiJWgL7GW8qvpNSV+pt2U2Qa4F6xU84WLeoV/eru4/anIUXrB5nzSmkKNGaM4SyB18LX/MY7ECoDjE2wenlfZg/oSCYaOzsyReP315oBHUAOm49eVCL49244LXLU9mv42Tkvj/fGcwQ15fvVHvCqGGo=
Received: from MWHPR16MB1488.namprd16.prod.outlook.com (10.175.4.146) by MWHPR16MB1485.namprd16.prod.outlook.com (10.175.4.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.218.12; Thu, 16 Nov 2017 04:02:47 +0000
Received: from MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) by MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) with mapi id 15.20.0218.011; Thu, 16 Nov 2017 04:02:47 +0000
From: Brian Witten <brian_witten@symantec.com>
To: Paul Wouters <paul@nohats.ca>
CC: "patient@ietf.org" <patient@ietf.org>
Thread-Topic: [EXT] Re: [Patient] Slides from the PATIENT meeting in Singapore
Thread-Index: AQHTXopdtzLxyoB5okmgmlUqi815LqMWXIeAgAADX+g=
Date: Thu, 16 Nov 2017 04:02:47 +0000
Message-ID: <MWHPR16MB14889A9B1FEC3F618EC04951932E0@MWHPR16MB1488.namprd16.prod.outlook.com>
References: <MWHPR16MB148817B4DA4B82B793D44DB493510@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14882E7612CB8A1EEDEF73C593560@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488343E419A6EC03325F78C932E0@MWHPR16MB1488.namprd16.prod.outlook.com>, <alpine.LRH.2.21.1711152236080.18091@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1711152236080.18091@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=brian_witten@symantec.com;
x-originating-ip: [2001:67c:370:128:c0d5:acfe:b6b4:67c0]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR16MB1485; 6:XK1RKwqXGUhGLMcxWkAMqDeSKf4/lTD2EaHuUuYxbhJzDlGR480lQujFh7pb5jM+mAoBJ2PN34ivrgC7mK/ePlJaz+IjgW+MIrijzn31njM3k21pIkySaX81j1E2Glvr1UgYVPnjrm9O7rO0Hrk9f+dyd6K7WjTqa6/vw3+oYYNIJPy4mFYUaYEmB5dLJ/O1GJ65Hmya7+RhAH13CFlkCwTwtcsFhzxXQyI+0V6esvmZ4Pf55H6NYFR6ujgYi7Pex7mYtj59VcvzZDIspsN7sE5+iSxgZSTundKk7WDbtEC63v6ZwtF7LFXIN6kljeQ3mrrBeY5TUrU3clGfI4dboS6AcyzihkMnb0qxsC8xFgk=; 5:c0iGOT6tJTJ49mPIdh6urfe0ZnuhpSDUxIBgrkJmLF2FeH8/82Qq0n7dBfCQQxJDgouSITY5TRHKwZaozkWJ0KOEZCAPzvpVLChBvz+7x4xnOfsfpU/7jqyNoFH303PisH2y1be/kLdCJPzqk0kTnqShcKyAqX5BxEesKMr0a/c=; 24:52ynkAsyQAed3I1k6lMmu2jPvL01LaeceIkLzCRCes0JsZUXHGKjH3+/BCVXUCHi8uhROrn2RC/mmDm+auAaspxLos995VGAi4A244jg60Y=; 7:EJiwk7kD5TzafeMNAYBIum77a7O3vLtoWsTYM3usmeF1OXheTi3/Gn5p4kFTnFJ+TFfMNIEnbykJ4kor2NoFj4dBS/2dxoUhwAlPC5TNaJsdlWrrM/x5g+zC34W0idCmZnhBOvRO9jFMVkYL37+0Y2NftffxFdv5bbLftkjJVAlgV16OeCP59u1wBloPTt49kuvlpvEEhCjkZHaFqn+VWrxd5UlTfV5XACkCnLnfMEGyOeJIYQ69nBP7UO5z1bgU
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 1194d274-e6d0-44dd-f8d1-08d52ca6e5eb
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603258); SRVR:MWHPR16MB1485;
x-ms-traffictypediagnostic: MWHPR16MB1485:
x-microsoft-antispam-prvs: <MWHPR16MB1485818EC5D8D835CC46D396932E0@MWHPR16MB1485.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(100000703101)(100105400095)(3002001)(3231022)(10201501046)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(20161123562025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR16MB1485; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR16MB1485;
x-forefront-prvs: 0493852DA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(189002)(199003)(43784003)(24454002)(316002)(6306002)(6436002)(53546010)(4326008)(68736007)(55016002)(6246003)(6606003)(7696004)(236005)(5660300001)(2950100002)(6916009)(606006)(229853002)(478600001)(2900100001)(2906002)(99286004)(93886005)(3660700001)(54896002)(25786009)(9686003)(6506006)(53936002)(77096006)(966005)(14454004)(10290500003)(3280700002)(76176999)(5890100001)(105586002)(575784001)(81156014)(106356001)(97736004)(86362001)(102836003)(101416001)(81166006)(7736002)(74316002)(50986999)(54356999)(6116002)(189998001)(19627405001)(8936002)(33656002)(8676002)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR16MB1485; H:MWHPR16MB1488.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB14889A9B1FEC3F618EC04951932E0MWHPR16MB1488namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1194d274-e6d0-44dd-f8d1-08d52ca6e5eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2017 04:02:47.5183 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB1485
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTYRjG+85lHpcHPpfliybVZFKmS7spKqYRYpThP/2RCHbQU5qX2TZN o0IDIy2tRDM13WxrkiV4KV0YsS0vKIYghCUm4oyyCEMpL3hpZ2eC/3z83ud5Pr73gY8hZZ20 D5ORo+XVOVyWXCKlpEG3UfAsyyaFPB/wDZ+1HAmfGx8lYoh4o3GZiF9sJBKJJGlUGp+Vkc+r D0VflKZv1PZTuZVxBaPLr1ERaosqQ+4M4KPQbGiny5CUkeF5BCaT3W3TMEwNuIwlBDU1I6Q4 9CGorbJLxOEHgpIhEyVcoXApCfW6U6JRTUDxRjMhDr0IKo1dzpQEK6FvbYIW2Avvg8rhaYfO MCQ+AP1lYYK8AyeAYcZGiZFzUNo96OII6P/QTYuPKcC0aiMEZnEytJdPOPeWYTMBn3T+Arvj WBgzFTt1hHfB4tArZ57E3jA+oyPEnhiM74RqAu+EWfs6LeaTYaj1p0sPh5WySSSyH4zq7iGh F2CbG+h1f2nRUMKbR79doQT49uKZK1SLYKrhicsIBEt1CSVyJjx92UU9RIfrtiwlsgomrHq6 zlnOEwZrZyhRDwJ9z7xE5INgavpFbvKwxU5s1fXIrQXt1eZpNNlaVZ6Wy+VDQpWawuxU4eAc HylVmarK7kDOr3Qr1Iym287aEGaQ3INt2fBIktFcviNpQ8CQci/2QpNDYtO4wuu8WpWizsvi NTbky1Byb7ZA57DwZU7LZ/J8Lq/edAnG3acIRcZO39zT9QWs6athV9bqjj++MxwyGT09cFJv VCSe8GctIb2+Fd8DsnZbDTeOfd0e94d6a/6o+xwQX99p1a8rrt6V0RpyMKJ7bCnuDCs1l2/z WvZsDJuNjOGy9X7RwQv/5i6xideq6siUkdb7ceURD96f7qho6NkvWTm/oIiKV8kpTToXGkiq Ndx/MkB0hUYDAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBKsWRmVeSWpSXmKPExsXCpdPEofuSlzfK4PwJcYuXB4wt3t+6xOTA 5LFkyU8mj+/zmAKYorhsUlJzMstSi/TtErgy/s88xlIwya3i0s8tjA2MG2y6GDk5JARMJBY/ OM7axcjFISTwg1Fi+vTzzBDOUUaJmVMes0E4LxglWk8tYwFpYRHoZJaYPd8FIjGVSaLx/3Im COcIo8SkJdvAqtgE9CSO/r3DCmKLCChKTDrzCCjOwcEsoClxrMscJCws4Cux+MkhFogSP4nO 7SehbCuJY4e3s0IsU5VY9ucQE4jNKxAjsbH3DjuILSSwg0ni6nxlEJtTwFHi+rJGsDijgJjE 91NrwOqZBcQlbj2ZzwTxp4DEkj0gr4HYohIvH/9jhaiPkTi19hVU3ELiV9c9RghbVuLS/G5G kL8kBA6xSyyY/5UVIqEnsXXiW6giX4mnKxdBFc1klHgwdwZUQkviwNRWFgg7W2LO6m0sMPGO I7OYIBqusEpMXbaDZQKj3iwk10LY+RJ3Di5gnQX2taDEyZlPWCDiOhILdn9ig7C1JZYtfM0M Y5858JgJWXwBI/sqRoWS0uLi3JLcksTEgkwDI73iytxkEJEITEjJesn5uZsYwUnJWXIH46E/ PocYBTgYlXh4L8TzRAmxJpYBVR5ilOZgURLnfafBFCUkkJ5YkpqdmlqQWhRfVJqTWnyIkYmD U6qBUWpd4vY9ycnH2TRZvx2I6d1snTbB5eH982nqDt1H98dvL2avXvnsUUbO/e05Zs5C3bvC gncH3ahMrtR/u7bhU/zG2by3b//2u5JaZe59dLfRSumEcxoHP358WuA+dZ/Z1+UN2xPvMAgv PjkhseKBHdMjO3aDpKtHrtg+3+gfxd/taretr6dplxJLcUaioRZzUXEiAH/UrU0rAwAA
X-CFilter-Loop: TUS03
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/7atSbdoQl16XfJXjbrxtfKE23Z8>
Subject: Re: [Patient] [EXT] Re: Slides from the PATIENT meeting in Singapore
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 04:02:52 -0000

Thank you Paul for the clarification, particularly on the Note Well!


I'm rusty at this since my last IETF was nearly 20 years ago.


In light of your clarification I won't be distributing more detailed notes in case any of the comments were meant for the moment not for eternity.


Re the URL, will do.  Probably next week if not sooner.


On "why is anything more needed," one of the risks is the "malicious CDN" concern framed in Boneh's Stickler paper, and I can walk through the other limits of current middlebox/proxy approaches as well, but I'm happy to focus first on the ask from Stephen, unless you prefer otherwise.


Thanks Again Either Way!!


Cheers,

Brian



________________________________
From: PATIENT <patient-bounces@ietf.org> on behalf of Paul Wouters <paul@nohats.ca>
Sent: Wednesday, November 15, 2017 7:41:37 PM
To: Brian Witten
Cc: patient@ietf.org
Subject: [EXT] Re: [Patient] Slides from the PATIENT meeting in Singapore

On Thu, 16 Nov 2017, Brian Witten wrote:

> I'll also very shortly post the slides to this list as promised.

A URL would be better, we can share more easilly (as the archive will
likely mangle the attachment or create a very strange link for it)

> Unless anyone objects on this list, we're working on a more detailed set of notes, Chatham house rules

You can privately do what you want, but Chatham house rules is not
compatible with the IETF Note Well, so anything on this list should
not fall under those rules (and temporarilly working under different
rules for a subset of people seems a bit odd to me). So I am confused
about the "we".

> (a) Helps each endpoint control which parties and network devices are empowered to decrypt traffic to help protect them,
> (b) Helps each endpoint see when one of those parties or devices modifies content coming from the other endpoint, such as removing attacks, and see that with a cryptographic audit trail of who changed what where when and why, such as removing attacks,
> (c) And does all of the above without breaking or weakening any of the cryptography or cryptographic protocols in any way, including not breaking or changing TLS.

I still do not see why I cannot selectively use either a SOCKS proxy or
regular proxy, over regular TLS, to the middleware box / protection
service, on a per-domain basis. That is, you have not convinced me there
is any need for a protocol change. Without a clear need, the exitsing
protocols should not be further complicated.

Paul

_______________________________________________
PATIENT mailing list
PATIENT@ietf.org
https://clicktime.symantec.com/a/1/7-NZRAvvKnLiRMsQn_pvOJLF807sbWToQe7lFzwCgt4=?d=eexAo6dIX-LOqBzrZPtp3kWS2Y4tkAUQuu0Yt0YntK2V5TnEaRSePWV3hU7KkNbhxO1MwNRnpkyKWYobHNq-bixHBef1KMwY1VN4gm8FbqLT_18q642X6zQhzW3iIwqB8VJZtGFLYeWCbUvfs2yUdnRmUP0hdv3SxIOBRwZAEQgKQJbx5zGYlklLU0Hiai9ChCq9mfsY_rHnoygD8VpcTbOIkmyYiXXAvq9F0I1CPKGp3OAhHytTwN3fkWr9hMiXIt5BFjpNNtQoLjxDxUB5WgxaHat5EX8oAV9EqWQKkMi7ZqlGjcZtULdgCG0_WAPAolWlsAd5zrCNMD5NTROlrLlaZgBsvwZpvUQojIDgTF6w8xg-AnMGg-GeSCXlIqPNq2Pe5cRo3jm6rsJ12W4ymP97N6mbvgFk&u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fpatient

v2.23.0 | Report a Bug | By Email