Re: [TLS] chairs - please shutdown wiretapping discussion...

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 10 July 2017 19:37 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC2313188C for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 12:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-gT1W_Bj7l5 for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 12:37:29 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85231131897 for <tls@ietf.org>; Mon, 10 Jul 2017 12:37:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 32A5CBE38; Mon, 10 Jul 2017 20:37:24 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdhaCPJBnj1W; Mon, 10 Jul 2017 20:37:23 +0100 (IST)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EA751BDD8; Mon, 10 Jul 2017 20:37:22 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1499715443; bh=4SwBY59yy13h+LWs4HjpnR9DiqOABtzJTFqhu+PSkSI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=HH2esgUyRtsg39dbq+2a7uYUyhDQr6QoqYPrR+xiAVZoKO1hLRRTvRS36wqagNpPg ShrgaeQJUh2vwgKDAYtnK8zQIPh+IZSjpbOQsOd9mxBjA+HOVlfIC5SgGpcC1Ee0WX Mol0YgJqg8eUztaoMZFEAQraTlCKEG72Mjsbae8c=
To: "Ackermann, Michael" <MAckermann@bcbsm.com>, "Polk, Tim (Fed)" <william.polk@nist.gov>, "tls@ietf.org" <tls@ietf.org>
References: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov> <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <9693fc25-6444-e066-94aa-47094700f188@cs.tcd.ie>
Date: Mon, 10 Jul 2017 20:37:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="99BtleWc9QJG05Pr4tUSeDoJ75TNJvoCv"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5YHrlICdtzy2ouBbdPWLe7Baan4>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 19:37:31 -0000


On 10/07/17 16:30, Ackermann, Michael wrote:
> Given the above scenario,  I do not understand how this can be construed as "Wiretapping".    2804 seems to make this clear.

TLS is much more widely used that you seem to imagine.

Please see the comments to the effect that there is no
way to control to location of the wiretap/TLS-decrypter
in the protocol.

If that's not obvious, I don't know how to explain it
further.

See also text in 2804 wrt tools being used for more than
initially envisaged.

And if coercion of a server to comply with a wiretap
scheme like this stills fanciful to you, please check
out the history of lavabit - had there been a standard
wiretap API as envisaged here it's pretty certain that
would have been the device of choice in a case like that.
While it's easy enough to envisage many other abuses
that could be based on this wiretap scheme, that one is
a good match and a real one.

> Such critical colloquy,  with significant long term
> impact,  should not be prematurely terminated,  IMHO

"Premature" is nonsense, this debate has gone on too long
already.

S.