Re: [TLS] network-based security solution use cases

Florian Weimer <fw@deneb.enyo.de> Sun, 05 November 2017 15:31 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21C113FB1D for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 07:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MB9XPItRISK for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 07:31:56 -0800 (PST)
Received: from albireo.enyo.de (albireo.enyo.de [5.158.152.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE2E213FB1F for <tls@ietf.org>; Sun, 5 Nov 2017 07:31:56 -0800 (PST)
Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1eBMts-0004SO-Nx; Sun, 05 Nov 2017 15:31:52 +0000
Received: from fw by deneb.enyo.de with local (Exim 4.89) (envelope-from <fw@deneb.enyo.de>) id 1eBMts-00061W-Ie; Sun, 05 Nov 2017 16:31:52 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: "Nancy Cam-Winget \(ncamwing\)" <ncamwing@cisco.com>
Cc: "tls\@ietf.org" <tls@ietf.org>
References: <895D1206-28D1-43AB-8A45-11DEEC86A71D@cisco.com>
Date: Sun, 05 Nov 2017 16:31:52 +0100
In-Reply-To: <895D1206-28D1-43AB-8A45-11DEEC86A71D@cisco.com> (Nancy Cam-Winget's message of "Sat, 4 Nov 2017 01:49:54 +0000")
Message-ID: <874lq868t3.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6s-mO7gBhwFgXY8uBzXLhyBjhYs>
Subject: Re: [TLS] network-based security solution use cases
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2017 15:31:59 -0000

* Nancy Cam-Winget:

> @IETF99, awareness was raised to some of the security WGs (thanks
> Kathleen ☺) that TLS 1.3 will obscure visibility currently afforded in
> TLS 1.2 and asked what the implications would be for the security
> solutions today.
> https://tools.ietf.org/html/draft-camwinget-tls-use-cases-00 is an
> initial draft to describe some of the impacts relating to current
> network security solutions.  The goal of the draft is NOT to propose
> any solution as a few have been proposed, but rather to raise
> awareness to how current network-based security solutions work today
> and their impact on them based on the current TLS 1.3 specification.

I'm not sure if this approach is useful, I'm afraid.  The draft is
basically a collection of man-in-the-middle attacks many people would
consider benign.  It's unclear where the line is drawn: traffic
optimization/compression and ad suppression/replacement aren't
mentioned, for example, and I would expect both to be rather low on
the scale of offensiveness.

What the draft is essentially arguing is that many user cannot afford
end-to-end encryption for various reasons, some legal, some technical,
some political.  But it seems to me that this is currently not a
viewpoint shared by the IETF.