Re: [TLS] TLS@IETF101 Agenda Posted

George Palmer <gl@bitwiseshift.net> Tue, 13 March 2018 17:30 UTC

Return-Path: <gl@bitwiseshift.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FFD412741D for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 10:30:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bitwiseshift.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qypxqAXs7W6a for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 10:30:48 -0700 (PDT)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D47B31200E5 for <tls@ietf.org>; Tue, 13 Mar 2018 10:30:47 -0700 (PDT)
Received: by mail-wr0-x230.google.com with SMTP id d10so1182893wrf.3 for <tls@ietf.org>; Tue, 13 Mar 2018 10:30:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitwiseshift.net; s=20170811; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=umv7HARkDDayyHgy3K6ao/080vGTaAjnW07AUn32fuE=; b=F9AyUvqmH/2R6+/4rKKqUJgSH3YUapk/HWTyolUUsT4cvWEq0V8jFnhC/OPSkTN5ap T8iAua5dEeaNhgiZ8eiGj9MmbgM28HGzeaGMeA1XS2rpRuulXKhSltdHuZ7ILxIPx/zy 2JBmfiPkmDXp4e40Rw1yB/DtA8jx+uGQTAD3ZeMw2ySP/Y5o6t0q7m8vk3ZriEF3BI+y GcfcS921WApHPRNpKurFCS6tPbIkQzGD2CtZ2074yEB3VrIwxoXRzxvFPr6KFGarP29I /sUd5Q9h0gfE6TPkrBU4xQ2cdYiXjNibAXFCza4SMtdcCo++u3TfjOA/U0AL7geBXuhn SI9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=umv7HARkDDayyHgy3K6ao/080vGTaAjnW07AUn32fuE=; b=TEm7twAoCU8Uq3+ptHmpaeWYhCeCTrTE1rTxkcuGphhusCBHsiz97bmonIWfmw9uiC Bxz2IkFjegcmszGE11aOLhR/aH3ezHXQJIZtZeDmW7CxMq1SVuk8XKjqymW81Bwtgc+R SQ/8LB0OI2LOSV/50HnbaDBxMTqTt7k5b+per4JOxTa8GcpBHVkRAMD2xOzcT15N58JT Ij4ZVtYRnjeec7MlOTNpWuNK7KczVlt6ZXpk5K3akJWSK8w5qV8BWCfAY5PkOCw/YPBh w34OcbSza3z4aYFDEcSMVYg5T2HrnkkP4F/wSVEfzrqNAmon7T3AZLobRnmwQcswHlnE c5MQ==
X-Gm-Message-State: AElRT7FKjipHtNbBL9GPyR0kdwotqKZ/z/8uoaYErci4W6yoPVudDuET GkTK2WYEKKw0/kCBZbW/i6Lkl9tdeWfVziyIwo1s+gNVzrwNgwtZ3Ovjhg7oCObmzS38HPeQt0s cFbERhYN8lfXJ2daBOPbGj5ClKTVaERlcAO0yagB0O6bfev9Qm1REpA==
X-Google-Smtp-Source: AG47ELuzXUN2XqtJaYI+rWqYEx8Ql/4UNRih41bCcELwjRM4PdO5/gitcnDjT8hn33oTAR8uUd8N7A==
X-Received: by 10.80.211.19 with SMTP id g19mr1683221edh.15.1520962246045; Tue, 13 Mar 2018 10:30:46 -0700 (PDT)
Received: from [10.14.31.41] ([89.191.217.234]) by smtp.gmail.com with ESMTPSA id 93sm521666edi.19.2018.03.13.10.30.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Mar 2018 10:30:45 -0700 (PDT)
Content-Type: multipart/signed; boundary=Apple-Mail-6B19B307-F480-4B3A-B2A0-69B8587F1302; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (1.0)
From: George Palmer <gl@bitwiseshift.net>
X-Mailer: iPhone Mail (15D100)
In-Reply-To: <CABcZeBNpMekXPRYiLe3oGCjhuu3X+9zuLVnbiz1TnhymVWAMgQ@mail.gmail.com>
Date: Tue, 13 Mar 2018 17:30:44 +0000
Cc: nalini elkins <nalini.elkins@e-dco.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <0FE675D1-3300-418D-A5D6-A8A7344CB96A@bitwiseshift.net>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <986797a7-81b0-7874-5f39-afe83c86635b@cs.tcd.ie> <CAOgPGoBYc7O+qmjM-ptkRkE6mRsOYgc5O7Wu9pm3drFp3TVa6Q@mail.gmail.com> <d7dfdc1a-2c96-fd88-df1b-3167fe0f804b@cs.tcd.ie> <CAHbuEH7E8MhFcMt2GSngSrGxN=6bU6LD49foPC-mdoUZboH_0Q@mail.gmail.com> <1a024320-c674-6f75-ccc4-d27b75e3d017@nomountain.net> <2ed0gc.p5dcxd.31eoyz-qmf@mercury.scss.tcd.ie> <d7ec110f-2a0b-cf97-94a3-eeb5594d8c24@cs.tcd.ie> <CAAF6GDcaG7nousyQ6wotEg4dW8PFuXi=riH2702eZZn2fwfLQw@mail.gmail.com> <CAPsNn2XCNtqZaQM6Bg8uoMZRJE+qQakEwvw8Cn9fBm-5H+Xn_A@mail.gmail.com> <CABcZeBNpMekXPRYiLe3oGCjhuu3X+9zuLVnbiz1TnhymVWAMgQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7h02ZbcXjQmh4Q_k0aNDd-KUhys>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 17:30:50 -0000

+1

> On 13 Mar 2018, at 17:23, Eric Rescorla <ekr@rtfm.com>; wrote:
> 
> 
> 
>> On Tue, Mar 13, 2018 at 8:58 AM, nalini elkins <nalini.elkins@e-dco.com>; wrote:
>> Stephen (and TLS group)
>> 
>> We need to look at the bigger picture.    
>> 
>> The TLS working group has been concentrating on making the Internet secure for the individual user.    We feel that there is also an underlying motivation to help the underdog and protect the political dissident.  These are all laudable goals.  
>> 
>> But, the Internet is much more than that.  The Internet is the underpinnings of much of the business community which is utilized by consumers (end users).   Making a change which makes businesses less secure because crucial functions cannot be done will lead to enormous chaos and disruption.   Many businesses are likely to not want to adopt TLS1.3 or seek unique DIY type alternatives.  In fact, we have already heard of some planning to block TLS 1.3 traffic just for this reason. 
> 
> As a break from the meta-discussion about whether this topic should be
> on the agenda, I'd like to make a technical point. There are two
> separate settings where TLS 1.3 makes inspection more difficult:
> 
> 1. Cases where the inspecting entity controls the server and does
>    passive inspection: TLS 1.3 mandates PFS and so designs
>    which involve having a copy of the server's RSA key won't work
>    
> 2. Cases where the inspecting entity controls the client and does
>    MITM: TLS 1.3 encrypts the certificate and so conditional
>    inspection based on the server cert doesn't work (though see [0]
>    for some of the reasons this is problematic.)
> 
> The two drafts under discussion here only apply to case #1 and not to
> case #2. However, for case #1, because you control the server, there's
> no need to look at blocking TLS 1.3, you merely need to not enable it
> on your server, so this framing is a bit confusing.
> 
> 
> -Ekr
> 
> [0] https://www.imperialviolet.org/2018/03/10/tls13.html 
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls