IETF Logo Mail Archive

Re: Request for Authenticated but not Encrypted Traffic

Martin Thomson <mt@lowentropy.net> Fri, 30 September 2022 03:11 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59F1C15257B for <quic@ietfa.amsl.com>; Thu, 29 Sep 2022 20:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=uLzJc4RP; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=KmrLJ5cO
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIBFTOIFpUxV for <quic@ietfa.amsl.com>; Thu, 29 Sep 2022 20:11:18 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 277B3C152575 for <quic@ietf.org>; Thu, 29 Sep 2022 20:11:18 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 4331C5C016A for <quic@ietf.org>; Thu, 29 Sep 2022 23:11:17 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Thu, 29 Sep 2022 23:11:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1664507477; x=1664593877; bh=BIf/Z5hryz LVe8lz1NZkwaO0ME0b35JfQl4RxZYdEo0=; b=uLzJc4RPN6gshBk3PGoDJ/FsVm ILMdVKSgMnYGv+T6P0LzMejnxK/Bfpp+0Pc3J8yR4fYqn0FvAoVsfdWPxUkIRQvM 2sjd+kyX1CiBIGZOkAmNjKpAIzx/Cz0A1Dm7QDIeBFbxPW8WJg4W9QwVtlNANNNp yz6jvyGHKHNRUdLQ8IkdgRDRvm/3tQFjoLoeYR65tbR8+d5RQwUyY3iuJgs0lBdU Q7BmVwWYrhR1mee6k0EqvlJzP98wa1KgrICvJlKEZJsY9DNpS0qaejTQb1erZS6B fwqb/rKKBz2MDQzObozp94gauS+qhh2xslioIA/Y+B3ZoGPrzHz58Lb03JKQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1664507477; x=1664593877; bh=BIf/Z5hryzLVe8lz1NZkwaO0ME0b 35JfQl4RxZYdEo0=; b=KmrLJ5cOFitogqRxFRCD2090kB0T8csMP1QipoIlFLbI tjPG2UzSMqTCQjuL/c2GzZDAbuuq9NUKQbBsZIbw1dTft+/O2XgHVfCnYMsGXRju +XYSLo7tla2BG3muagqslqmf5/4p0iKy6/axP39RwPBd4z5PxMO8g9/MyKQQTBz/ ig1QT5tD+/NGyS+SYC7XjiL77JwiAuNR2yusTWur6lzOaYGxhAff1uG/qKAn8HY8 E9xB2Rtxv+ik8l4nPq2sN+xcFCtb8nx5XIbY4K23/cFEtLRviA1sgZkTml5KItBb 2ElyOBWZauk+zz6lotPuqhNplDw+TDaI6G596xwd9w==
X-ME-Sender: <xms:VV42YxNAtgH_o00vwr6meA4z5gd0FiwxZk_Vcx6hnFmnuO1D5o0P6g> <xme:VV42Yz92pEuFnc2Q_Aj9ug4mZoTE8BC_UrMKzZ4seQYUq-S30kuv2yd2Gkw7L6o8e BhdxQ1sdX73MelP6q4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeehuddgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:VV42YwRLt5LXIwuFeeI0v3IKmiEDvfrTttUTPzVBiAcufRuRy-vlHQ> <xmx:VV42Y9v0AwoiLsLkxSNZlX-OtnU93oi_deRLsPpksm9uXQNZmbwfIA> <xmx:VV42Y5fH07HeRWJE8LLAWQlt1cfT0KNY0gHtPtd6esn2rhhQhF6CKg> <xmx:VV42Yzp6WQY_VfaCcaieKosy_euiYQ_vtS6e0DC66jbU1GdxcrJclQ>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id F38EA234007B; Thu, 29 Sep 2022 23:11:16 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-968-g04df58079d-fm-20220921.001-g04df5807
Mime-Version: 1.0
Message-Id: <dd3f71e8-c086-4b9a-9341-f0ee94248f1b@app.fastmail.com>
In-Reply-To: <CAMm+Lwh1DWyVNL7M6q0gAS77HyN5KXRa3cNn732ivbAMGSFVDg@mail.gmail.com>
References: <SJ0PR08MB82889F488CCA7D8FC4997ACEFA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <CAMm+Lwh1DWyVNL7M6q0gAS77HyN5KXRa3cNn732ivbAMGSFVDg@mail.gmail.com>
Date: Thu, 29 Sep 2022 17:10:55 -1000
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Request for Authenticated but not Encrypted Traffic
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_jQCCkxf6aFPSXdspO52a9VF6Rg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 03:11:22 -0000

On Thu, Sep 29, 2022, at 16:51, Phillip Hallam-Baker wrote:
> A better approach for this particular requirement is to have a 
> mechanism which uses encryption but explicitly provides the necessary 
> observer decryption capabilities. 

This I agree with.

> But that approach has been repeatedly rejected in IETF.

Maybe.  But the widespread adoption of SSLKEYLOGFILE would suggest otherwise.  I think that the thing that is most objectionable is the weakening of TLS.  Methods that don't affect TLS security - like SSLKEYLOGFILE - and engage with end systems and their users directly and honestly are less of a threat to the security of other TLS users.

v2.23.0 | Report a Bug | By Email