IETF Logo Mail Archive

Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile

Rob Sayre <sayrer@gmail.com> Fri, 07 April 2023 22:03 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAC85C1524DE for <tls@ietfa.amsl.com>; Fri, 7 Apr 2023 15:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.993
X-Spam-Level:
X-Spam-Status: No, score=-1.993 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J31KTTGMaqVv for <tls@ietfa.amsl.com>; Fri, 7 Apr 2023 15:03:03 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0257BC152A11 for <TLS@ietf.org>; Fri, 7 Apr 2023 15:03:03 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id ga37so55163ejc.0 for <TLS@ietf.org>; Fri, 07 Apr 2023 15:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680904981; x=1683496981; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OO2O0UkrlKRnqoqa7qzGAHdu8QiBST3k0Gx6rxdyKvA=; b=WLui3YDNoAyNEUQlE3lwRUtV7aVd/mXkxZxlxasCbAdpJkMKgA/nIWNe30607LluCb 71I3wYTNSAblW0wHwfPUcGax6cn+lstakcIzkNPYFyq4dNPFxR7gQaLXdP7dycJbAMZi 1MRTUop3YzaxvlmEQMrCROVtdqeE0N5jZe6aER78PGiRzgUV94ba+75iujlZ3O5+ODZh CQlKHkqWILHAn2jplLLX9mKU74nlWu06HCp++UfEVfR7wcaG9Ve/vw/xNo6eIcoJ9Nb8 IJmAE/2dWvoq7JfJ4hzZfUMEOoosWnZogtFQ+2rJXXX624j5sY6X18MPd62kSA3n2hF4 Z8Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680904981; x=1683496981; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OO2O0UkrlKRnqoqa7qzGAHdu8QiBST3k0Gx6rxdyKvA=; b=b5MSYccvRwJ+U3wFhts7qy4DFp/Hu1yo27HDU2SLQnJnbfP3IFB3iLVo+3bTp8a+LU 3OoAoHmsaC8e6aI5fJKICTdtVG/8rTehV3gWbzN10i6B8/TAnB1YVGvwsU5dFJgP0jPQ YS0lcLINknax3TeW9iFtBBmZcwLdRXkV8l1SuSsJflyyh9afl1v5NljJRcXTNe+PYA8N YS39EgkterV+vVrVHij9bCZASD7FyhOxS9+wL1HF3dDdNkdKaB5ybO/ifP1pV8/kI7ja 8EUF0dPoCoJX3SYwGv6DwQol0Wmm6v+Kx2cfEGKUJf1WBYBeKupmSdL7J9iQMXWRMFCN vfwg==
X-Gm-Message-State: AAQBX9cuwwB9KtKccvECEfwF+8cfgyerf0XLNmpljhPt8BiGGnemyJ06 L/z56gpx9CYpS+eIF5PVA80gcN3Bucq0VQ9sI5c=
X-Google-Smtp-Source: AKy350ay0+OzMe9cB1zkw1NSH86e/w4bhV9dJK48UFrjPpeMmY52gglvYhOXoytmm4eqDj46qvl9vYXHXu14Esh8NKo=
X-Received: by 2002:a17:907:6287:b0:93e:c1ab:ae67 with SMTP id nd7-20020a170907628700b0093ec1abae67mr398926ejc.2.1680904981226; Fri, 07 Apr 2023 15:03:01 -0700 (PDT)
MIME-Version: 1.0
References: <15D5BB25-508F-42E3-B843-BCB81B668355@sn3rd.com> <24A48A16-1CAD-4D88-9376-2B51EE4955CA@heapingbits.net> <GVXPR07MB967855D220977DF03CFD984B89919@GVXPR07MB9678.eurprd07.prod.outlook.com> <DM6PR00MB0683D688396F1948A445DB0C8C919@DM6PR00MB0683.namprd00.prod.outlook.com> <GVXPR07MB96784E784CDD8D6F8D26C1CF89969@GVXPR07MB9678.eurprd07.prod.outlook.com> <CH2PR00MB0678FC0BAD43368B70A3D7408C96A@CH2PR00MB0678.namprd00.prod.outlook.com> <CAChr6SyT2sFJ-FSRXvxyoXpLziEgtXRDN6UZS3qkbQYXSw3vpQ@mail.gmail.com>
In-Reply-To: <CAChr6SyT2sFJ-FSRXvxyoXpLziEgtXRDN6UZS3qkbQYXSw3vpQ@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 07 Apr 2023 15:02:49 -0700
Message-ID: <CAChr6SyWFTCzU3eU-yH2oNs3B0C3WkK14X-JKZBvLCWPnU=L0g@mail.gmail.com>
To: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, Sean Turner <sean@sn3rd.com>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004ea95e05f8c630f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1SgYqB0b4nriyFCNegUhYVzESSA>
Subject: Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2023 22:03:08 -0000

On Fri, Apr 7, 2023 at 2:19 PM Rob Sayre <sayrer@gmail.com> wrote:

> Hi,
>
> I think this concern is really reasonable.
>
> I would suggest publishing it on the independent stream, not AD
> sponsorship. It's not an end-run around any IETF activity, but it should be
> documented.
>
> thanks,
> Rob
>

And, just in case anyone reading this is not a standards dork (like me),
here is why this path exists:

https://www.rfc-editor.org/about/independent/

"The Independent Submission Stream allows RFC publication for some
documents that are outside the official processes of the IETF, IAB, and
IRTF but are relevant to the Internet community and achieve reasonable
levels of technical and editorial quality."

This example seems like a textbook case. The only thing that I disagree
with the chairs on is "IETF change control". I think that is radioactive
and the IETF shouldn't touch it.

Reasonable people can disagree,
Rob




>
>
> On Fri, Apr 7, 2023 at 11:19 AM Andrei Popov <Andrei.Popov=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
>>
>>    - That seems way to soft and does not say anything about reusing a
>>    key share in an _*ECDHE*_ cipher suite for a long time making it
>>    static. But RFC8446bis now has added SHOULD NOT reuse key share which is
>>    very welcome. My preference would be MUST NOT reuse.
>>
>> Agreed, and I also generally agree with your analysis of options 1-4.
>>
>>
>>
>> However, the IETF standardizing any TLS MITM/visibility options would be
>> a net negative, from my perspective. That would increase the (already
>> significant) pressure on TLS stack implementors to provide these
>> “visibility” solutions. This pressure already comes from a lot of different
>> angles.
>>
>>
>>
>> Cheers,
>>
>>
>>
>> Andrei
>>
>>
>>
>> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *John Mattsson
>> *Sent:* Friday, April 7, 2023 8:25 AM
>> *To:* Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>; John
>> Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>; Christopher Wood
>> <caw@heapingbits.net>; Sean Turner <sean@sn3rd.com>
>> *Cc:* TLS@ietf.org
>> *Subject:* [EXTERNAL] Re: [TLS] Call for adoption of
>> draft-thomson-tls-keylogfile
>>
>>
>>
>>
>>
>> Thanks!
>>
>>
>>
>> >“Implementations MUST NOT negotiate the cipher suites with NULL
>> encryption.”
>>
>> I will add a link to RFC 9325 in the next version of
>> draft-mattsson-tls-psk-ke-dont-dont-don’t
>>
>> >“Implementations SHOULD NOT negotiate cipher suites based on
>> non-ephemeral (static) finite-field Diffie-Hellman (DH) key agreement.”
>>
>> That seems way to soft and does not say anything about reusing a key
>> share in an _*ECDHE*_ cipher suite for a long time making it static. But
>> RFC8446bis now has added SHOULD NOT reuse key share which is very welcome.
>> My preference would be MUST NOT reuse.
>>
>> Cheers,
>> John
>>
>>
>>
>> *From: *TLS <tls-bounces@ietf.org> on behalf of Andrei Popov <
>> Andrei.Popov=40microsoft.com@dmarc.ietf.org>
>> *Date: *Thursday, 6 April 2023 at 20:08
>> *To: *John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>,
>> Christopher Wood <caw@heapingbits.net>, Sean Turner <sean@sn3rd.com>
>> *Cc: *TLS@ietf.org <TLS@ietf.org>
>> *Subject: *Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile
>>
>>    - Maybe IETF (e.g., UTA) could say what organizations should
>>    definitely not do (like NULL encryption).
>>
>> This is already done. UTA BCPs prohibit NULL encryption and static DH:
>> https://www.rfc-editor.org/rfc/rfc9325.html
>>
>> “Implementations MUST NOT negotiate the cipher suites with NULL
>> encryption.”
>>
>> “Implementations SHOULD NOT negotiate cipher suites based on
>> non-ephemeral (static) finite-field Diffie-Hellman (DH) key agreement.”
>>
>>
>>
>> Cheers,
>>
>>
>>
>> Andrei
>>
>>
>>
>> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *John Mattsson
>> *Sent:* Thursday, April 6, 2023 7:41 AM
>> *To:* Christopher Wood <caw@heapingbits.net>; Sean Turner <sean@sn3rd.com
>> >
>> *Cc:* TLS@ietf.org
>> *Subject:* [EXTERNAL] Re: [TLS] Call for adoption of
>> draft-thomson-tls-keylogfile
>>
>>
>>
>> Hi,
>>
>>
>>
>> So, what should people do regarding visibility? There are obviously
>> organizations that think they need visibility. I see the topic popping up
>> frequently in a lot of different places. Both in IETF and outside.
>>
>> I see four ways to achieve visibility.
>>
>>
>>
>>   1. Do things in the endpoints.
>>
>>   2. Use NULL encryption
>>
>>   3. Use a static DH key instead of ephemeral. Share static DH key.
>>
>>   4. Export session keys to intermediate node.
>>
>>
>>
>> I don't see 2 and 3 are not viable solutions at all, ever.
>>
>>
>>
>> Regarding 2. it violates several of the TLS security properties. NIST
>> states as the first basic assumption for network connectivity for any
>> organization that utilizes zero trust is that:
>>
>>
>>
>>     "The entire enterprise private network is not considered an implicit
>> trust zone. Assets should always act as if an attacker is present on the
>> enterprise network, and communication should be done in the most secure
>> manner available. This entails actions such as authenticating all
>> connections and encrypting all traffic."
>>
>>
>>
>> Regarding 3. it violates one of the fundamental TLS 1.3 security
>> properties namely "Forward secret with respect to long-term keys". It also
>> violates zero trust principles. Two essential zero trust principles
>> according to NIST and NSA are to assume that breach is inevitable or has
>> likely already occurred and to minimize the impact when breach occur. One
>> type of breach is key compromise. Using PFS is a must to limit the impact
>> of key compromise and therefore to follow zero trust principles.
>>
>>
>>
>> The only viable solutions I see are therefore 1 or 4:
>>
>>
>>
>> 1. do things in the endpoints
>>
>>
>>
>> 4. export sessions keys to the intermediary and making sure that the
>> intermediary does not store the keys long term. Storing the session keys
>> long term violates the TLS security properties and the zero trust
>> principles described above.
>>
>>
>>
>> Regarding 4. there are many different solutions.
>>
>>
>>
>> - SSLKEYLOGFILE is a de facto standard for exporting TLS key material.
>>
>>
>>
>> - ETSI CYBER has standardized Middlebox Security Protocol.
>>
>>
>> https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf
>>
>>
>>
>> - Proprietary solutions such as
>>
>> https://www.nubeva.com/pillar/get-session-keys
>> <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-5f34a1d271355f52&q=1&e=f3aeeac6-dde5-492c-8992-c755e6a13aca&u=https%3A%2F%2Fwww.nubeva.com%2Fpillar%2Fget-session-keys>
>>
>>
>>
>> If IETF cannot say that anything is recommended. Maybe IETF (e.g., UTA)
>> could say what organizations should definitely not do (like NULL
>> encryption). Seems like a lot of organizations are deploying different
>> kinds of solutions right now. They will likely do less secure things than
>> necessary...
>>
>>
>>
>> Cheers,
>>
>> John
>>
>>
>>
>> *From: *TLS <tls-bounces@ietf.org> on behalf of Christopher Wood <
>> caw@heapingbits.net>
>> *Date: *Thursday, 19 January 2023 at 15:57
>> *To: *Sean Turner <sean@sn3rd.com>
>> *Cc: *TLS@ietf.org <tls@ietf.org>
>> *Subject: *Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile
>>
>> Hi folks,
>>
>> Apologies for the delay in concluding this adoption call. To close the
>> loop here, it doesn’t look like we have sufficient support to adopt the
>> document as a WG item.
>>
>> The chairs would like to recommend AD sponsorship as a viable path
>> forward for this document. This should achieve the desired end goal of
>> moving change control from the fine folks maintaining NSS to the IETF while
>> also nailing down the now widely supported format used in production.
>>
>> Best,
>> Chris, for the chairs
>>
>> > On Nov 28, 2022, at 1:41 PM, Sean Turner <sean@sn3rd.com> wrote:
>> >
>> > Hi!
>> >
>> > At TLS@IETF115, the sense of the room was that there was WG support to
>> adopt draft-thomson-tls-keylogfile [1].  This message is to judge consensus
>> on whether the WG should adopt draft-thomson-tls-keylogfile. Please
>> indicate whether you do or do not support adoption of this I-D by 2359UTC
>> on 12 December 2022. If do not support adoption, please indicate why.
>> >
>> > Cheers,
>> > Chris, Joe, and Sean
>> >
>> > [1] https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/
>> > _______________________________________________
>> > TLS mailing list
>> > TLS@ietf.org
>> > https://www.ietf.org/mailman/listinfo/tls
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>

v2.23.0 | Report a Bug | By Email