Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

"Ackermann, Michael" <MAckermann@bcbsm.com> Mon, 23 October 2017 22:09 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00DCA1399D2 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 15:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DThKjIB0UOpt for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 15:09:39 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1C9D139A5A for <tls@ietf.org>; Mon, 23 Oct 2017 15:09:38 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 0E4AB1C0BBD for <tls@ietf.org>; Mon, 23 Oct 2017 17:09:38 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [12.107.172.81]) by mx.z120.zixworks.com (Proprietary) with SMTP id 244A41C0A63; Mon, 23 Oct 2017 17:09:37 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DCF24FE055; Mon, 23 Oct 2017 18:09:36 -0400 (EDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8B1A5FE04E; Mon, 23 Oct 2017 18:09:36 -0400 (EDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (unknown [216.32.181.178]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Mon, 23 Oct 2017 18:09:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ittGJjX5kXtf22uJYfmD/e7LyLi7WjHM6bdEwbCLurY=; b=S72MZX1UQ3Ub+VZkooUZtvzCIt/fCNxte/CJvvmxpeInosoirlsz4WG71O97wAscUhxIm/rbSZOvj8feAF9sxQad0rkw89v3InjsQ/DMWyJTykssC8KXdqMvcySzVW4EH8cWA9hP2KTBa29iSU643e3KPffMymUwGX/QvdOoQx0=
Received: from CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) by CY4PR14MB1365.namprd14.prod.outlook.com (10.172.158.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Mon, 23 Oct 2017 22:09:35 +0000
Received: from CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) by CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) with mapi id 15.20.0077.022; Mon, 23 Oct 2017 22:09:34 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Tony Arcieri <bascule@gmail.com>, Adam Caudill <adam@adamcaudill.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
Thread-Index: AQHTO710HVvcnaInjUunozwwxCXv1qLp+S4AgAFTKoCAAAWPgIAAANmAgAABFgCAAAA7gIAAAPWAgAADKICAAALZAIAABTaAgAACs4CAAAEIAIAABEYAgAAZuoCAAAV4gIAAVLoAgAD/VwCAABsIAIAADvYAgAAFHmCAAAbigIADZUkAgAAIFICAAB86QIAACamAgAD42jCAABKIgIAACV1AgAADZ4CAAAF70IAAA1UAgAAA2TCAABBTAIAAGDwAgAAqLYCAAAW3AA==
Date: Mon, 23 Oct 2017 22:09:34 +0000
Message-ID: <CY4PR14MB1368C52236964E69E1F124FBD7460@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <31F5A73E-F37E-40D8-AA7D-8BB861692FED@akamai.com> <13592ABB-BA71-4DF9-BEE4-1E0C3ED50598@gmail.com> <2EE9CB23-AEDA-4155-BF24-EBC70CD302EF@fugue.com> <CY4PR14MB136816569A2AE2A9760C6E08D7410@CY4PR14MB1368.namprd14.prod.outlook.com> <557F43AC-A236-47BB-8C51-EDD37D09D5CB@fugue.com> <CY4PR14MB13684F18AD75F4AE767CE35CD7460@CY4PR14MB1368.namprd14.prod.outlook.com> <57CFBA2A-E878-47B0-8284-35369D4DA2DF@fugue.com> <CY4PR14MB13680B6D5726D940C4C51B4BD7460@CY4PR14MB1368.namprd14.prod.outlook.com> <0D75E20C-135D-45BC-ABE4-5C737B7491C9@akamai.com> <CY4PR14MB1368378B42A6C46B27F5EF01D7460@CY4PR14MB1368.namprd14.prod.outlook.com> <2AC16F9E-C745-43AD-82C1-D3953D51816C@fugue.com> <CY4PR14MB1368895DD0D72286635E4E83D7460@CY4PR14MB1368.namprd14.prod.outlook.com> <E37A3920-D7E3-4C94-89D0-6D3ECDEBCFF6@fugue.com> <CAFJuDmMZMRqvhyLFMoUo_5KPaVu3d4o2ZEQ_PiAOxWe7CtGgYQ@mail.gmail.com> <CAHOTMVJZpWfdCSrzYXhb5-gyzpjuNzoEMjM9DywqRu6Q8op_vw@mail.gmail.com>
In-Reply-To: <CAHOTMVJZpWfdCSrzYXhb5-gyzpjuNzoEMjM9DywqRu6Q8op_vw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [165.225.39.61]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1365; 20:cXvJEKCIEZFD/a4aulalokCVfEybhXdRctciSQbRQzgbr97yE7U8/jfN2sBCkpqJoMNUUVE1OzC3dSlf31UCGHrZC93wBKERpZH+Ne/qo5ugJGOGkgvJQNDN6vVHm1uwXxkAagvzxj0jc6oiYNEH2FZFeY8ZXOyHhHgJErNHnGk=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 39a07e55-1358-479a-0dec-08d51a62be93
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:CY4PR14MB1365;
x-ms-traffictypediagnostic: CY4PR14MB1365:
x-exchange-antispam-report-test: UriScan:(72170088055959)(192374486261705)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR14MB13659FED82F994F4BDF924E4D7460@CY4PR14MB1365.namprd14.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(3231020)(10201501046)(93006095)(93001095)(3002001)(6041248)(20161123562025)(20161123558100)(20161123564025)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1365; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1365;
x-forefront-prvs: 046985391D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(199003)(24454002)(189002)(230783001)(55016002)(97736004)(19609705001)(4326008)(99286003)(3280700002)(53936002)(101416001)(6436002)(66066001)(2950100002)(6306002)(76176999)(39060400002)(50986999)(25786009)(229853002)(6506006)(6116002)(3660700001)(14454004)(54356999)(189998001)(236005)(68736007)(2906002)(77096006)(2900100001)(81156014)(81166006)(8936002)(7696004)(86362001)(5660300001)(105586002)(110136005)(53546010)(93886005)(6246003)(72206003)(9686003)(74316002)(80792005)(54896002)(8676002)(478600001)(106356001)(316002)(3846002)(7736002)(33656002)(102836003)(790700001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1365; H:CY4PR14MB1368.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB1368C52236964E69E1F124FBD7460CY4PR14MB1368namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2017 22:09:34.8125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1365
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: e34113f8-33fd-4c2d-a6c7-b6716d61ec5e
X-VPM-MSG-ID: de8af55c-2142-4c6d-94bb-dafd4ee263ee
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/52wEBNtaq4HjeuhNy8t8Gb4Z7aA>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 22:09:42 -0000

This can be solved without changes to the protocol or a standardized “backdoor” - and is being done today by at least some enterprises.

Having worked (and presently working) for more than one company of this nature, in the payments business no less, I would like to restate that it's incredibly disingenuous to cite the need for self-MitM capability as an "industry" concern.

No one I am aware of is pushing for a MitM capability to address this.   In fact it was one of the alternative solutions for which many implementation issues were cited at the Prague meeting and on this list.    But I would like to ask,  what is the solution that your company and others that you reference,  have solved this problem by implementing?




From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Tony Arcieri
Sent: Monday, October 23, 2017 5:43 PM
To: Adam Caudill <adam@adamcaudill.com>;
Cc: tls@ietf.org
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

On Mon, Oct 23, 2017 at 12:11 PM, Adam Caudill <adam@adamcaudill.com<mailto:adam@adamcaudill.com>> wrote:
Those advocating for some standardized method of subverting the security properties of TLS have been offered numerous options in good faith, and continue to reject them all. I’m aware of extremely large enterprises that in fact require TLS 1.2 with PFS, as they made the investment in addressing this issue early on, and do so effectively. This can be solved without changes to the protocol or a standardized “backdoor” - and is being done today by at least some enterprises.

Having worked (and presently working) for more than one company of this nature, in the payments business no less, I would like to restate that it's incredibly disingenuous to cite the need for self-MitM capability as an "industry" concern.

I think if it were possible to ask for a hum "from industry", you'd find the field divided between those who have invested in a real observability story, and those who think passive network traffic collection is the only way to debug their systems. I think if you were to even take a straw poll of the best approaches monitoring/observability among actual industry practitioners, passive network traffic collection would rank close to the bottom of the list.

I would go as far as to say that if you are among those requesting this misfeature, you are doing a terrible job securing your infrastructure, and should look into modern observability techniques as an alternative to debugging by concentrating network traffic dumps into a single point of compromise which represents a huge security liability. Yes, switching to a new approach to observability is a huge investment that will take time, but so is upgrading to a new version of TLS.

The "industry" reality is that many companies do not need a self-MitM misfeature and could be actively harmed by it, and while a self-MitM capability may be standard operating practice for some, it is not true for all, and identifying those who want the self-MitM capability as "industry" is a composition fallacy being leveraged as a rhetorical tactic, i.e. "IETF is not listening to the concerns of industry".

As a member of "industry" myself, I implore the IETF: please don't make the rest of us less secure at the request of those who are running insecure infrastructures and apparently intend on keeping things that way.


The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.