Re: [Patient] Internet Draft posted as requested -

Paul Wouters <paul@nohats.ca> Thu, 14 December 2017 23:11 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8891C127005; Thu, 14 Dec 2017 15:11:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MvBrW9079KoI; Thu, 14 Dec 2017 15:11:01 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C212126CBF; Thu, 14 Dec 2017 15:11:01 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3yyTnY3szQz1Kh; Fri, 15 Dec 2017 00:10:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1513293057; bh=92jAJLB1FNJrg8L64C3ef1ugUQienllrtWtecKiFe9U=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=PD7gVBTQvEIMxU4bL+rOCfCNslAl2hAXFb+8yWfHyVt6HRp3EDyy3naaQD/NALEYJ 8+PxuXKEIMGQlzBrfLLvOJlcV5sgeJIvlRURCEV1ULRKr4jgUGQ3D4gCoS1wk/ej1N OGRLJloMk4Rr3YzI6psrl/zPPyC2tgAaSv4Hona4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id w0uB7r-ZGOBQ; Fri, 15 Dec 2017 00:10:55 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 15 Dec 2017 00:10:54 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id F058F70A3FD; Thu, 14 Dec 2017 18:10:53 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca F058F70A3FD
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D78D243A0D40; Thu, 14 Dec 2017 18:10:53 -0500 (EST)
Date: Thu, 14 Dec 2017 18:10:53 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Brian Witten <brian_witten@symantec.com>
cc: "patient@ietf.org" <patient@ietf.org>, "saag@ietf.org" <saag@ietf.org>
In-Reply-To: <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>
Message-ID: <alpine.LRH.2.21.1712141805020.15188@bofh.nohats.ca>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/R1p8VNl2sd-2plIph5EVFviSy0M>
Subject: Re: [Patient] Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 23:11:03 -0000

On Thu, 14 Dec 2017, Brian Witten wrote:

> As a side comment, I’d also note the use of pejorative phrasing.  “argues for the mitm attacks on https,” … It seems that you’re calling “network based blocking of malicious webpages” an “attack” when the blocking is actually blocking the server's _attack_ against the client.  Where I choose to have a network proxy protect from evil on the net, I don’t consider that proxy to be attacking me.  I consider that proxy to be protecting me, and many organizations manage keys accordingly.  We see more and more people needing network help in protecting themselves from such attacks, as laid out in (1) through (5) above.  I look forward to your feedback there.

Some call it that because you are actively trying to circumvent protection
that https offers.

If you let the client decrypt the data and then sent that data (encrypted)
to the network agent, no one would call it mitm attack.

But your proposal is to give private (session) keys from endpoint to
the network agent, basically giving it the full power to impersonate
the endpoint. That is a dangerous and needlessly insecure compromise.

Similarly, an email message can be received over TLS, and then forwarded
to the network agent for scanning without giving the network agent the
key material to sit in between network agent and remote mail server.

Paul