Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Roland Dobbins" <rdobbins@arbor.net> Sat, 15 July 2017 11:56 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48312131B14 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 04:56:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWqNpLG_qCq7 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 04:56:53 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0133.outbound.protection.outlook.com [104.47.32.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 239F312EBF4 for <tls@ietf.org>; Sat, 15 Jul 2017 04:56:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=4KPz0rfcVxkeWQxwre6bPNIeDW+se7p+YiIQHqETqZU=; b=lCX6O8Sv9r1FKdt6RUEUeW1lPQz3chsMiHS4heA+NW+NPyePxjyReQ8RZ60zRkSfcl0zJVjFLLA8tpg+u1iHUbEjNLnMVfWrS15ue6MHRMmetfuVfNv83ow6zko77edO4lMtG7LKCVwBIzjDJW6TGaMtDMncXZ78bgDcX+7vSEk=
Authentication-Results: fifthhorseman.net; dkim=none (message not signed) header.d=none;fifthhorseman.net; dmarc=none action=none header.from=arbor.net;
Received: from [172.19.254.116] (49.228.100.193) by DM2PR0101MB1037.prod.exchangelabs.com (2a01:111:e400:3c19::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.13; Sat, 15 Jul 2017 11:56:49 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, IETF TLS <tls@ietf.org>
Date: Sat, 15 Jul 2017 18:56:31 +0700
Message-ID: <31358CD2-0913-4CA5-88A2-89AB8C4FBF88@arbor.net>
In-Reply-To: <87379yrlqp.fsf@fifthhorseman.net>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAL02cgRJeauV9NQ2OrGK1ocQtg-M2tbWm2+5HUc4-Wc8KC3vxQ@mail.gmail.com> <71E07F32-230F-447C-B85B-9B3B4146D386@vigilsec.com> <39bad3e9-2e17-30f6-48a7-a035d449dce7@cs.tcd.ie> <CAJU8_nXBFkpncFDy4QFnd6hFpC7oOZn-F1-EuBC2vk3Y6QKq3A@mail.gmail.com> <f0554055-cdd3-a78c-8ab1-e84f9b624fda@cs.tcd.ie> <A0BEC2E3-8CF5-433D-BA77-E8474A2C922A@vigilsec.com> <87k23arzac.fsf@fifthhorseman.net> <C4968C13-3229-43C2-B29B-EC9C01D76D06@arbor.net> <20170715085544.y3hozzzpqzrfacd7@LK-Perkele-VII> <87379yrlqp.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [49.228.100.193]
X-ClientProxiedBy: SG2PR06CA0089.apcprd06.prod.outlook.com (2603:1096:3:14::15) To DM2PR0101MB1037.prod.exchangelabs.com (2a01:111:e400:3c19::26)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 53f7ab98-3900-475e-f5d4-08d4cb7893fd
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR0101MB1037;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 3:PzhGN7HxCQGOz5odmSEKTIAYnpjQWgVXDOhYi6IMS03feN4uvujr4ZMjXD0xitAsOTM2uT/RQicUxWfsSkfgCbtpQbtZThxJ3XnhfdbuaMWrM73Q6xMmimvmqejMWDrBoIJWW8GjkdTe1DXPNJ7KgsahOi4GydzAfEVOsI5p9LUzWZKdMe+0su66NW8ptGblbB9eZ5z/4D5MbQASjTB+hO4z57rWOQcITNG3gHo4Mm9vPI6u6iINcQcRobmjHpsjqZOGHkU8jIPQH5QbFaeE5JoGpTEAMKR9y+QK+/3m+3EyhCyu+0BuvPiCCww44xzkZcMdil/ZHODbZokDsE3WiQneSzOyAqyU6wjut+9YsRJYhQMOyjnlAxHuztEQOZ4hRMCw5fDNbRFCUoaevx5hyjaXC9uXDP59RKcYAp+ZOMgZl7iE5udY9IgDSYrQowLxfqfF/Zf+FDsWIAk85Yiv8Yqp1SKWMFm/0Bxdvl7UEXfWqqcMG+/mBTJeWeFKduA2mdC9fmoXg+mVGkgSnhO/Ly6MzEWfbLsEY8thenBOE9nBJdJtN89V0XRoh8oDfepSZojkAgWKB7unVHg6FST8+6BRJHV+WylS/+yGaNZczUc/pVFRPlr1bgPtPlPH7zdeiZzb3pQj4sPTaHncsU1iZzejLAPukFEDmxov9+mEXL0S935OTYSgXOy+fnapw2901yX740e0k8qiW4u72OrMcSFi/GOFl5areGpKyOGDVDs=
X-MS-TrafficTypeDiagnostic: DM2PR0101MB1037:
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 25:BlfY+NDdwrgx0sV9UPVckf5NisDIE1ONxRH1Ay60bhOJpKSHmhRKgMnXHD2tYq8ZtHO+Q1Nlma4Z2SeOkDCSUtUfod5mDaNKD5Cz2TPkLcvHlY0OnX5se+qcsOFt07ymEQk5O/qvZDBPr8Ybd6AzrQeBorefXN8FLNv5znJwgBL8hpvmoWGo5Bhn4IE2qFZJZKRkSZqBenvhIsE0804UYlWFVS/vNdGZlN9o5smJmRSnaArCoTbMvO5G5zbzWlci/fw6TDOfOffmXeIa4sBM02ULnHLsIUYPcADgBmaJetzz5nJbepb4tbSfY+xHXdmjZp8OFNUdypShMJfRCuptuB6NmdU2YRt3fv7l3tz+9oQbVY2lDNBnoH6zoEfUFJl6duankO4rLFVOBdKPMtI/6qdqGcA7Uy9hWGiVLJ/R8jlmX6udnUZccqTjrur0YduJW3j86W2AqZJ48aZolbkfsOngY3lWO4rDJRVCx9Q5iY4vW9JpAi0dBYZAhL1WYNvmDpxk9oA8aaJncq5M2m3bwDQoLpJR0ozuAGtt0evNIZdSVQ2+p1XEZW+dOiRZzZZcgVir29VnKV+MIN7IeXf7/Tkx+Ng2H/9dGeC2IaByum4LxB33/JvEDlHTGex2pvrY7d4uWQxB1588iFko9lFLWNFvE91Lwf+6yaWrg+MJLo9oTSfmRjY7p/f5AQj+kj+y3B12q4zftXJVu6APEH7ApKFpmCnd/JsOQkZ/6RsrWNoh+14fkqYtDloF5eAcK2q+sKVJVdXKF966A6OQKc5oocj5/GH6NE6tJ3LdWbNBTywCPyj5fP1diCXtPzAkWR7pu4ScwPeuMr5gtP48FfJg+8H63WngmJyRYKpRh024mjcFDuPjuGf2Xqu6UYGuwP1LQzA9Ie1ECz9tXlLzSxU6V5MMKGJDDxlZuTaEbhzwGvg=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 31:ze7Ymvm3JdGDoJrpiPv1hoUu55MH7/hBb/kb3E3psfDwr9qQ6HX2uJUZQ6ws/hRCvInO6nzdEZYDQeLqEq9Z2T64EFv7+42A0P2FJjGFN/SEj3AschNB4lS7LtmlS+7wu7avp9zuRKCVLY33qno8c55KM560UVZ6LpHq/gVh/ezbUj6jy4NZsIKTLJQmWaoNlgA6qSQFukGDG6DAVRCi9UuJJ5N6h8A5WAtvairMHmoVhdmW6UR0G/BZCbpMk7qeBqGLjB/f1/Bz5g+nRmhiP/WUP5tfymTYinDm7NEDnWkv1LMQMVAxAfRHdh+Ky4FyhJQ0xvWsBIgS1+RsrZxdN9ZwYn5iyMkyIpvyMRWn7p6xp+01A6U/8Wf/RL+D3fzVYBrJGwzMUqADSUnHgC5FijDUZM+ldii0gLbTs8xoDJS52/EeosqO7IRRbKm5iHnl44TiG3UYEWmKHKH4Fyf47x4MDA3LxoeG3OwFhiO6zEfD7beWTU6uzXzrsz9ZDLLg9jWKSL9Mzd3sOOGgGPa+f0PTDN/zrvODn198pjMeRM8rHk2wz3QYk8fxMCIQNjA1S1EuRLHR87tUu6SzkgUDGDHvtjA/V6SmK7j1wNYemrw5BGJeQH+dpQpF+KXPhXvH8s05Jh9ukOhf7SPuInebg6yqc3y6ESObXCayKimzERhzZPNpouK2M0ddggMpW8vM3TN3YOIbFiZz2ZJqdZj8EA==
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 20:zPf1raUiSWnYKdBgkdfxgG2H1MyNj4KykBVul/eWRTzWMMvyVJnyUe2TGXbj4isIxFPtyaB4OISf/L4n+Ek93sfcLQ5CccpRsFnJxoDzEPF7KKnLS29ukz6yu1s72Dylo8JbhVfk65fiVeHyFvJa94oDqSfLqJ2o++VxO2KrjgitBbfWEnEDymu8idUh+gJWh7zy/pu6wDLx+m6GDnDdk0Fnpu5ZJ05pwIBVgt7PXoPoJ55naRxVKUYYGwGhCkC+c8H7kY0DiASdJzNRYENDRto5nXqMbpF9hzTIGr5MSnZdD7NfPbnM0lQt00uDt5dW6g2kWpuLQDlzqmkxHZ3WFAj8quLTROBzMn9+ssoqSa6Qlwp98hR2shwR9JbZPnx6+atb96fHfOl+RUw2Tlevlndg90wWWcgqH9V5Ju4d0TY/DT2J/+NYeN/9HOIWnfRWad16QtNc+b+Dhg1kp3ONAH1T8RufLG4Dgvf7qpPQzPsdRQRklV5OHOygYAvpRtHF
X-Exchange-Antispam-Report-Test: UriScan:(236129657087228)(192374486261705)(48057245064654)(148574349560750);
X-Microsoft-Antispam-PRVS: <DM2PR0101MB1037FA606EF6684F681D690BCAA20@DM2PR0101MB1037.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(2017060910075)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123562025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR0101MB1037; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR0101MB1037;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 4:4BTiskoxIdF3MDlbcUqgHQFmHlbJx6HVy0aPPc6gweNl3GYNmm++LvsUeLJLpWD5jD98JyF4BunQbfAWZZRq0bTzKAkmDIBAav0Mc0c/NDo1XoMtgRaLrHv+y0KXv7BDHUXqBV1lzGscY2Cor7dEBXgysLzs3OqZk5ak3u0diStHJ78hh/DdSpc6OOQZVhMcxrbdewrz8uK/OlNLSUb5Bm3AZ4Wh02IRQ3EiAcV2xjjw8fl2UApKRLhRsVEsSoykhgotDki1LnGgNldB4hQztslzCgJ/KTH10GHgRQ8iMGfLXrQIdxQNvrppgipKR7Cy5dwQzlp6urqc6AFbAvp9nln1S4OanPWM/slBTbRhkLU3+YVtRD5+eGKIlFhkLsYGxT1ytcnJRHc5ymSK+ja64xdgCx+ihxNed85AhFZSLh8kcDUiKMdOujSDrjI6Vozs/JMebGSeA8KETR8PbDiaHQOa0e56dY8l28ilfV9PHUw9G4jccGYvlSZ9Xem7nF/fAFo8rriT1SlHoRguuYs+Z0f+GHWxQ2hquHW82eoPgruJrgH+6HApk4fJA5mUdEER3gnKDE39sJFbwOgQ5qv9dcrzTO1BcpERvrL/iw0JCexk3vwg4epuA14FYFERAjDrCJDGtNq+y1ySJ3iidETzoe02ILsfrktey9jC56Ffscq7TDsHIOfwOOv9a4/LEz+R6Va14Gz5rwNGpLiHrODvj1Pok4uGKqQ1mStOc5BThcrrU1Gl0V0JC/SZgX69gOviduEXaO1WX2jL+qpDMSMK7l1FdAfo7VeTv5Ox6a5CdfFR88SURWYZH9p7QdyM9kRhKWLOrkkXQUNn1JX9CkTNzfxOms6SD+vecfvd5E62Iyeq5DKwohNnw9kFDUln5gha4cArBvkw9D3U3CFMFQFXDFj4QBrMSynjY36mCi838smokKyxzgj3xpnHlJfu6Hoxx+8um3sbvJkmWNba8M+249csMS5KCq3yAjSrbq+aXMSb8asNOs4YvxJKFkrX7ETX8u35IRwtK0qzsJisZ1ciZM60dUQflj0+P+fc0xYfC8+o5NC6R8IqFh/t6kCwFhMOA1k83KHWUGUJQGUUnxCbwHHYEe6rRo2nL6UJi5fc64F3XFSOnFpFRfjeMt2zeJkrEKCGDwU7F3JcomlxP+I9vfZMvHhSvXXvACn7kgMnqPM0uEXNAFWRwDuk5T0tfRfxuPY1KDj+6SElfTUh5KxJzYwBHG4dstGQcv+EFzQB3pHx7l6dgp8rqn/QCnRo4M2Y+gMFvjpixnaAHMU9oO5k7dKhJR/uD/8r19Wep/UnUfU=
X-Forefront-PRVS: 0369E8196C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(7370300001)(4630300001)(979002)(6009001)(6049001)(39450400003)(39410400002)(39400400002)(39840400002)(24454002)(50986999)(76176999)(53936002)(47776003)(5660300001)(2906002)(66066001)(50226002)(93886004)(42186005)(230783001)(54906002)(4326008)(305945005)(2950100002)(229853002)(83716003)(36756003)(82746002)(33656002)(6486002)(53546010)(7736002)(77096006)(6916009)(25786009)(86362001)(478600001)(6666003)(6116002)(50466002)(81166006)(8676002)(5003940100001)(189998001)(3846002)(110136004)(38730400002)(6246003)(7350300001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0101MB1037; H:[172.19.254.116]; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 23:Om+AV38bmqMBWKh9v10KyfAtUb1XQfZfCzMfztJ3Wg3AhaEtUuvBAWUVJskTKF4AWNy7UxjiRvPy4OsxYH4NEz+vyoyGe0rroAAkdDQTWO8Fow7t9jR1urb9Wtu6UzJl52Ak8oOc9Sm+dw5kVDa8P6+RE5yKrnMrE/KpDvMw9A7MEC6R5BO5RdEe2NDGeH0zH2eMivFGgq+10lPSMIVlqf2OHzr6cmGVDia4r8raDq4ghmDuIUT+1aYA9VAyX4URbiMv9RoLqFTq39CLAtKgMArMzGB3leypmgmLUBqJC8kj9ReEGwtRpG4enTUAEULs+LmElXJgCsFbf4nPdnlNCx5VDhZYOmmnIPPhklk7ZmXDYqBV0fClQf6/oRsHf0gQFu8hDcT3/ad6qiYA2LEdslf48pHJHUdEHBhuqBiIQhVFyZHJxGrlasf8vqLAp2AiMfIzypBdv9JahL8eO3bhnVYxHC9K3ADm5R7HwTSBi0wnSzMf81sX3BsWp8r/PmRRtmkqKj2kG90jjD+nULDPSwSwhka/9H7miARzvegH/raKCOrJY26Qsu8CFMBUQvsOaYJfwf1Au3OrPGliSsO6pDh9jgDAWbRoUvwV8dll+Qy9rPAJPMitZXEezs0/m8xtJEC2NIDjjAcwt1Bla2+C63VxyPdhvcBHs0Zdvytr5Ee80/NmXSMimvweMUR9z2LxjcC+gIAI+MYdpwxCJiwVR3E23ligb8EAp3SEmk21iZviftU3PKtm3LtdYQ7BGDiDIZyPY9WRJgHNKzdKPAibFr2HHMuxCQZlpnzFmo8W3CLCWrMU4KlPguJEDqX4R2/KY1ByTfg3NY2cLeK6aYfW5r6sM1KgU2yDhMjJWTV+htgHhkqd0gC1Q8+a3Xxzjp79Krg69zsbiNrgn/LTBUwtdbOPASpmmm/Oj38MYcr+67RT1iNoGSML4Sj10qLFsYM3bydTORA7KLcamt1XHaf6RatA0gxdbjhBfNWq9pWemSsSZNQj5+RfZIRwSuHcr5KgzQ+MUn2LfGMyZYQ3UdbmAcFDIqZTR9X2828iKIv1Z8xOxGbQ/e8lSHmGQwnK4QiRef9epPvlrGugW2cj8cXxjmWRMIc0CeaIkSESE1U0hKIjFB5n1yUTiPvNw4jJiVARbIAqf8zZCxtrO1DScTc+/UKajzDQnWksEBs515n8F8aqfwLuOVNg1hIhna/QUI1AVazsQS6stbNoF7YQmG0KT6a+7gbr1boN4ge8/g8UoLQTII+mF8ORqnlKWMPUKEJKc6unEXklM/ksLuVIeI4nmd27jATAmVlO7g35ktu3SCuB4zjNQgqw+MmeXYQ5kgUQ
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 6:UrrTDTO0mQTtyNtrB7h/Ka7GOEbltcb6OY9E6x6XoirJph4Ek4EOkVraGHhOtiEPbGgmpV/muwAjSnDBowRbZzhzY/cM2EFK6DwapVNfFREzpUorIrOBkUeFki1iUuIgJ7g8rbaZ8QdbhrrUAr4kWhGHzKYGw3p3U78UAaxzGBPQ26k24cAwYrccSJoZbovoZfWNzEvSNA/ntMU7GTMLKICunuPVqgEvB+NHQ5f1w55DEIkfbHWh0vFJ79C/nezaA42dGkAnnhx6vYkBIlqWxGJtsrUYBqb1Sbbr5Q4ngVBSP3Wsdazb/hocSY+yHRh70TyOU8sei2q+2NG0NmkYHUW9J1TF32yMZGgz3KmeVdgXszhwycNsXZyOBCuJgJseqf7PTdb/aessKMxNl//O4RzMQNxFK/QnMXyHq5He0zi32wJ+AY3EXf729NrbZtPDr/JKhWtarubZ88PPSl4ylFmcfCo6TIW843jVQdDOnFP1SmmJKCx3GeqvYdDdb03xXC+6p9fnSI0awNq80SrjyCmQzbw2ESEacr9n+oww+Z1XOjB6FuOTLQ737NA3IG4JNc/NY2iNNHYR1cGIkx+kJTJW0J1kCvaUGfqQ0csjtOlskVBm0XMoPUld4yb4OjKsDdkk+fqlIa2HXxcp2Nud18HMDtFlTiiHF9Zr+JyItavtqpJ/PuFpR+jlnR3XdxRxyC1rsEaOOAOvaWBSzjgQ6Ka4JH86kixrP2q2Gy7/vM/cl+m6HH0/uVwVvXdFE6BdaH+Dvw3alE9ThAP5f39+F0NKuAD3FhBieT01ba8hfUlh8HDp29TKMW1PWRgBPQMhgntPF2ElzOtlgpc48igULJMiRD6QkA3h63WXY5rkgfxv+l9161VRTN9TGwEbdN5Vy+ia5OkpJDAGfduEJ4xRSEbj96C0vI0KyWynNo7l9KHexqLfp8/4AK81ST62zCjSM1jYlXZt4t0kRBfoEJBl2GN4bqqrN6VXACC0NaEijOQ=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 5:NFHUuRzHa5iUJ4BI+TyjwF8CpNETAeUUkq7bQT5srD36HxEG8zJs+LBywyqSrxz5H8b2o0Ruxz9HVgAL27w4J6T/9Y3HgWXpr7yOUIk6jZBFISPTBpuiqd0Jl5cXMFXhXZY6qQCiirjfW/X2kfCKvd6tSluJF708X1PIs6uHV7kL6x59jnAknfmaIvhy4RCLcIC7Rts2aP55otW4946hTN9gWTE6nr1ousOL03rinhsGvfF3gA0iBNyEurpfzI4EFXrOBKisBat0+VtueYM5S4OhgeL4WBUb0xtqHZSjP6GqVtKpuSYhkxIA3hyeI0iaWqyQ022/PdcRmtFw9XESSMgJOwP3DMke+Hhu+tqpdONLK2SVUS3DzbSIHkJnZyC2BS6QpdItw/y4yOMWxq0Iqf93vTwEIz9bUNcNs50Js3TW95m+y+MgSJGsIrgYFqrh3Rj7Y0OSQ9v3zojbgmay5zvKVswmCksvTPJDc7M9chXByb8PHyNVQXrGz+Lda5+H; 24:rBT+igmqb1tw9tJ3FnUGGxAkAikaMkxCb1iTJ1h6LdHve2pqxpEjV4iYw0bDk00yQDiAC7XUhIS8pnMq1a20bDfdKb3QWv99pmF3z0Jw868=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1037; 7:wwNs8Za4Nn1JyZHaLU9K9wA5YRtWnwLCfEdWMHw+eZod11sPwneLp6au65qfGsaD8bdkpQ78QWApABnD+34O5BFcUQniyAELqzBbPHGSpSUZ2tJ12U2Dl5QRYRMn3Pod0sOCpBEQIVLOGLjaXHMrhmJKa+1poIenuPQmdiCy7lDEr7dkZoULjqzFhufnczDcW56VC1xl50excOHqGDa7YMX5AgLd96Rva96hgWu4dBcs3rnKOFfSU/8+pP+vuDr/64NkkgGSnLwdfQ7TMcEVXDd/rV/EUvpGftQSOtCh+yWQIrTLOBh/L7wU7iKCgRm0oJWhNrYoq7ILwJ1o2SGR+t4oWXc5OL7aeOhE8hHzlYVnilQBDLQpI9rhXR3WhVlHVtUJra1XITJI0q6coFc/AMeqpWZ9OZdFEdi7GhFgth+DZtcOT26+YCVSn2bZPEiwH73p6DFTyEVVZxZczsG0U9lcGOTcMEBIUPCfZ9DWH37MfH9IFKyfY5UUqaY98hGWThj3tQ2sgGHVfQyqxP12zPwGpKdZ3uNIzEVQZq4AcqEalkK4PhGmDaOtUaRYTixFiy/b1BBwxdgVAL+LVx0pGvCTbzCifvN24yBVfUtGkXpj7k8ARe/q/Pf5XT0rp4978xgoctD15krDbfMmigbDCWs4pMqS4V17L5T07B5boLFqZmY2N/yeSnx4aa06Cv88LupAbSud6vmVTP/fF47LMwO7uFpgFWPEKP5TXYaY3ssNDxuNYQcK04uoPEmAwp29NZvPPsJcFAh88rlBxKp1t4sjRrcZwjI3ZK8PcAUsh44=
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jul 2017 11:56:49.2365 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1037
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2HskkutA33EYEfqdFwJ65SRRetY>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jul 2017 11:56:55 -0000

On 15 Jul 2017, at 18:19, Daniel Kahn Gillmor wrote:

> I'd like to hear from the people who are doing full-take network 
> capture
> within their datacenters about how they protect the security of the
> internal decryption systems.

Firstly, they generally aren't storing everything, forever.  Most of the 
time, they feed into collection/analysis systems, and most if not all of 
the actual packets are discarded.

In many cases, they're only enabled on a situational basis - say, a 
security incident or a troubleshooting session.  Most if not all of the 
packets are discarded afterwards, in most cases.

In most cases, they're running on completely out-of-band management 
networks, using transparent taps or SPAN ports or equivalent.  In some 
cases, they can be used to intervene in the cryptostream - but even in 
that in-band case, all the management functions are still isolated on 
out-of-band management networks which are not interconnected with the 
production network, and are further isolated as necessary by 
implementing situationally-appropriate network access policies.

> It certainly sounds like a tempting target for any adversary 
> interested in datacenter operations.

I guarantee you that your bank, your hospital, your insurance provider, 
your credit card processor, your retailer, and/or your government 
welfare agency are doing this, and have been doing it for a long time.

It's quite common in the national security space, as well as other 
governmental bureaux.

I'm not saying everyone has implemented this perfectly, or optimally - 
but it is a common practice which has been going on for many years, and 
the loss of the ability to perform these functions would result in a net 
security loss for these organizations and for their customers and 
constituents - i.e., proles like you and me.

It isn't new, it isn't unique, it isn't a case of a small group engaging 
in special pleading.  What's amazing is that very few engaged in this 
discussion seems to understand all this.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>