Re: [Patient] [EXT] Re: Internet Draft posted as requested -
Brian Witten <brian_witten@symantec.com> Thu, 14 December 2017 23:16 UTC
Return-Path: <brian_witten@symantec.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4D7C129431; Thu, 14 Dec 2017 15:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9WyaxAKV8eP; Thu, 14 Dec 2017 15:16:32 -0800 (PST)
Received: from tussmtoutape01.symantec.com (Tussmtoutape01.symantec.com [155.64.38.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D9E6127369; Thu, 14 Dec 2017 15:16:32 -0800 (PST)
Received: from tussmtmtaapi02.symc.symantec.com (tus3-f5-symc-ext-prd-snat2.net.symantec.com [10.44.130.2]) by tussmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id C0.64.60992.F46033A5; Thu, 14 Dec 2017 23:16:31 +0000 (GMT)
X-AuditID: 0a2c7e31-3f8e99c00000ee40-8a-5a33064f2873
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (tus3-f5-symc-ext-prd-snat3.net.symantec.com [10.44.130.3]) by tussmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id BF.84.04468.F46033A5; Thu, 14 Dec 2017 23:16:31 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Thu, 14 Dec 2017 15:16:31 -0800
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.44.128.8) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Thu, 14 Dec 2017 15:16:31 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8DSfLBhCdVT3Lrik8ihsNfaNFBNSNJTGJZHvODvJoBc=; b=mWuldMcYKz6dwodOkQ0lniWajg7gSh34MAYVe7zL1GGz9365qpwNtMUiLvLECGNvI0Fvrk9GbEa5V5Y6a6E825ba09KFIUbICFLQpIZx7k523YE4yoSVtWBeOrHNmF28QNcT9lpvZM/n+28gRU2qtRX+BTFRwNrmqD9R6eTNJ7U=
Received: from MWHPR16MB1488.namprd16.prod.outlook.com (10.175.4.146) by MWHPR16MB1487.namprd16.prod.outlook.com (10.175.4.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Thu, 14 Dec 2017 23:16:29 +0000
Received: from MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) by MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) with mapi id 15.20.0302.017; Thu, 14 Dec 2017 23:16:29 +0000
From: Brian Witten <brian_witten@symantec.com>
To: Paul Wouters <paul@nohats.ca>
CC: "patient@ietf.org" <patient@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [EXT] Re: [Patient] Internet Draft posted as requested -
Thread-Index: AQHTdG3hrR7/CZZMykmDXlV3KMVAN6NDcJ4GgAAIGoCAAAB1DA==
Date: Thu, 14 Dec 2017 23:16:29 +0000
Message-ID: <MWHPR16MB148859D8FC007D9B9D5005E6930A0@MWHPR16MB1488.namprd16.prod.outlook.com>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>, <alpine.LRH.2.21.1712141805020.15188@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1712141805020.15188@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=brian_witten@symantec.com;
x-originating-ip: [2605:e000:9394:6500:a5ed:2f5c:12b1:afaa]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR16MB1487; 6:m67/82sUplg31I83yyFErdzCdjxNhLhLoqiVY4Vk/i35Kt7fa1Y07xwnUK3iY6x9Zqay5r64Mn9gWwa4pHrc8P+6ijE+Wj+iJSX6kCvhka2skyoyrSx6hmap3PTdqX1F/21am23Xs03XcaXNCJRwJuXQcc/emfBKgBOnOt7gIompThc9VHWiOdJHDu0vrLnRKdIDKQxWT1JgP84NlzjXoxndS7JHSeSqMjw4sCwyxf+Jt+bBA0dbWMUf+BJ5C5ODfUGuy6CPzO9Bj9l/My4VLHDrFINTYITXs5oae/JtNrFsPVvgO49fYCi2iFEkiTqVSfP0MGxIlJ0OwZf+OEhttQQ6/V7B1QVeiInzrY/rEpA=; 5:F59il+/lLJ/zUY/1qf/Ntvn5m/FB50/FFyJBzYjJVvjOE2Bz0u1ScyA7h9xvaVfAmpgbFTQWull2l9Ut/pxTmk2Zk3icc1pbuJX4RlgiSSELHr4bUWDaZraxKXsww9BOoJeymukHt6rT0rV+BaSR6KTGHAUmVyhlaFZe6USma3Q=; 24:JtBZfQ8uXgjAE5rXiJbiYnlQZZb+AyACMv6n9RASwzBJZyeKvOeSA5wMimCk/RB+aY+3Xqc33LFU2hyRPvDkTwOXYld3vseDYFtu5RxhbZU=; 7:29ib88cbrHmMx5fdBm9eBwa89eKKFAju+4L6z4ZLt+3UFHa7EXTZnjyQmICPRqUfWaFPBFPVndU4JUNV2HZvQVRocbcH8aWxByN5WRBC7gyN9elmOcx5eGYpbUsZlIsqsvQ1TC1laUkPmYV+A0yqXyUSK48x700uqlfiHUGBbb63SQe+3BjP/D5/y3I5VihaHb3MoJxCsKUn5p1StD7533bWRhZFgpxEu3/BJrTvbzBwEz1JDBf1utqI5jnJ/0o8
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 72fe1888-f116-46fa-3c04-08d54348b4e0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307); SRVR:MWHPR16MB1487;
x-ms-traffictypediagnostic: MWHPR16MB1487:
x-microsoft-antispam-prvs: <MWHPR16MB1487C45DAA45ED4B20006919930A0@MWHPR16MB1487.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231023)(93006095)(93001095)(6041248)(20161123558100)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(6072148)(201708071742011); SRVR:MWHPR16MB1487; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR16MB1487;
x-forefront-prvs: 05214FD68E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39860400002)(376002)(346002)(51414003)(24454002)(43784003)(189003)(199004)(8936002)(6506007)(81156014)(68736007)(8676002)(7736002)(81166006)(74316002)(53546011)(76176011)(3280700002)(2906002)(86362001)(478600001)(59450400001)(25786009)(10290500003)(99286004)(93886005)(7696005)(14454004)(316002)(54906003)(3660700001)(105586002)(106356001)(6246003)(97736004)(33656002)(54896002)(9686003)(55016002)(4326008)(77096006)(6436002)(229853002)(2900100001)(102836003)(6116002)(561944003)(19627405001)(5660300001)(6606003)(6916009)(53936002)(2950100002)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR16MB1487; H:MWHPR16MB1488.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB148859D8FC007D9B9D5005E6930A0MWHPR16MB1488namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 72fe1888-f116-46fa-3c04-08d54348b4e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2017 23:16:29.2062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB1487
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJKsWRmVeSWpSXmKPExsXCpdPEpOvPZhxlMGeFvsXLA8YW729dYrKY 0t/J5MDssWTJTyaP7/OYApiiuGxSUnMyy1KL9O0SuDL2/ljHXvDUuOLXrbfMDYyvtLsYOTkk BEwkNs34xdzFyMUhJPCJUeLihb+sMIktT3rYIBI/GCWWNLezQzhHGSWu3XsDViUk8IJR4snq RJAEi0Ans8SUa7ugWqYwSRw+fQvKOcIo8fzWfmaQFjYBPYmjf++AtYsIKEpMOvOIBcRmFvCS +DT3OZgtLOAqcWJjGxtEjZvE8t0XoeqdJH4sb2cEsVkEVCVmz9nCBGLzCsRI7OxbywixbAOb xMWV58ESnAKOEt1/poEtZhQQk/h+ag0TxDJxiVtP5jNBfCogsWTPeWYIW1Ti5eN/rBD1MRKn 1r6CiltLtN09AVUvK3FpfjfYMgmBQ+wSD/YuZoFI6ElsnfgWKMEBZPtKLHtRBFGzhFHiVM8q dogaLYnDPduhBmVLbDg5m30Co9EsJDdB2PkS3ccnsMwCe05Q4uTMJywQcQOJ9+fmM0PY2hLL Fr6GsvUlNn45y4gsvoCRfRWjQklpcXFuSX5pSWJBqoGhXnFlbjKISAQmp2S95PzcTYzgBFVn uIPx0QafQ4wCHIxKPLyvWIyjhFgTy4AqDzFKcDArifBeaTWKEuJNSaysSi3Kjy8qzUktPsQo zcGiJM776atalJBAemJJanZqakFqEUyWiYNTqoGR1+X1jJrQYwt9RB68cGXZIP3z/rFpJds7 7QuW5pR8fLlHp+LUFqfUKIFvnzmrpynJcR9+GPxbKs2ve57OroUVWkbzdt4r2L7H5f7D/ORb jmeE5z788HGp/one6q93Pq6e+k911syUDNUjkeK6D5Iqb0/ftqlHKOqwWkn348/vHp567Wkg +fTJdCWW4oxEQy3mouJEAING3RxMAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHKsWRmVeSWpSXmKPExsXCpdPErOvPZhxlsGWXpsXLA8YW729dYrKY 0t/J5MDssWTJTyaP7/OYApiiuGxSUnMyy1KL9O0SuDL2/ljHXvDUuOLXrbfMDYyvtLsYOTkk BEwktjzpYeti5OIQEvjBKLGkuZ0dwjnKKHHt3htWkCohgReMEk9WJ4IkWAQ6mSWmXNsF1TKF SeLw6VtQzhFGiee39jODtLAJ6Ekc/XsHrF1EQFFi0plHLCA2s4CXxKe5z8FsYQFXiRMb29gg atwklu++CFXvJPFjeTsjiM0ioCoxe84WJhCbVyBGYmffWkaIZRvYJC6uPA+W4BRwlOj+Mw1s MaOAmMT3U2uYIJaJS9x6Mp8J4lMBiSV7zjND2KISLx//Y4Woj5E4tfYVVNxaou3uCah6WYlL 87vBlkkIHGKXeLB3MQtEQk9i68S3QAkOINtXYtmLIoiaJYwSp3pWsUPUaEkc7tkONShbYsPJ 2ewwC1a++sAK0bCAGRjCU5knMOrNQnIshJ0v0X18AssssK8FJU7OfMICETeQeH9uPjOErS2x bOFrKFtfYuOXs4zI4gsY2VcxKpSUFhfnluSWJCYWZBoY6RVX5iaDiERgckrWS87P3cQITlDO kjsYD/3xOcQowMGoxMNr0WYUJcSaWAZUeYhRmoNFSZz3nQZTlJBAemJJanZqakFqUXxRaU5q 8SFGJg5OqQZGAZv6nX89HqRl+KSoZZ27qm4cssrFz7t7af3Kp1xz1x7edZhbhE/u4/PM+dkL M5R3PGtjmqxasN1Q7ccRnlaHZ1cq3Pbazfl9NESj+/lnlzde7z2Vd/27+7hMu/CuSOq16Msv LP6cj974TejzceONS7herPFwbH/x8O1UDeOJriw8by0ZBHk0lFiKMxINtZiLihMBoS935TED AAA=
X-CFilter-Loop: TUS03
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/XSvBfZc2oTag95Si7-j857xhEGw>
Subject: Re: [Patient] [EXT] Re: Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 23:16:37 -0000
Hi Paul, Thanks! I'm not against true end2end client-auth. That would help the server know for sure to whom they are talking, including both an endpoint that couldn't be impersonated, and the middlebox which the client wants helping with security. Sending data "back" into the network just often has a too-ugly bandwidth cost. Doing things in-flow is far better from a bandwidth perspective, and I'm happy to make these middleboxes (currently impersonating) more explicitly accountable for their presence in the communications... I hope that helps! Thanks Again!! Brian ________________________________ From: Paul Wouters <paul@nohats.ca> Sent: Thursday, December 14, 2017 3:10:53 PM To: Brian Witten Cc: patient@ietf.org; saag@ietf.org Subject: [EXT] Re: [Patient] Internet Draft posted as requested - On Thu, 14 Dec 2017, Brian Witten wrote: > As a side comment, I’d also note the use of pejorative phrasing. “argues for the mitm attacks on https,” … It seems that you’re calling “network based blocking of malicious webpages” an “attack” when the blocking is actually blocking the server's _attack_ against the client. Where I choose to have a network proxy protect from evil on the net, I don’t consider that proxy to be attacking me. I consider that proxy to be protecting me, and many organizations manage keys accordingly. We see more and more people needing network help in protecting themselves from such attacks, as laid out in (1) through (5) above. I look forward to your feedback there. Some call it that because you are actively trying to circumvent protection that https offers. If you let the client decrypt the data and then sent that data (encrypted) to the network agent, no one would call it mitm attack. But your proposal is to give private (session) keys from endpoint to the network agent, basically giving it the full power to impersonate the endpoint. That is a dangerous and needlessly insecure compromise. Similarly, an email message can be received over TLS, and then forwarded to the network agent for scanning without giving the network agent the key material to sit in between network agent and remote mail server. Paul
- [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] [EXT] Internet Draft posted as requ… Mingliang Pei
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] Internet Draft posted as requested … Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Peter Gutmann
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] Internet Draft posted as requested - Paul Wouters
- Re: [Patient] [EXT] Re: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Black, David
- Re: [Patient] [EXT] RE: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Mark Kennedy
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [saag] Internet Draft posted as req… Roland Zink
- Re: [Patient] Internet Draft posted as requested - Roland Zink
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Stephen Farrell
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Peter Gutmann
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Benjamin Kaduk
- Re: [Patient] the IETF participant choice Eggert, Lars
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Kathleen Moriarty