Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Melinda Shore <melinda.shore@nomountain.net> Fri, 14 July 2017 18:01 UTC

Return-Path: <melinda.shore@nomountain.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE54131537 for <tls@ietfa.amsl.com>; Fri, 14 Jul 2017 11:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nomountain-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwrErkpvxjSv for <tls@ietfa.amsl.com>; Fri, 14 Jul 2017 11:01:58 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26176126E64 for <tls@ietf.org>; Fri, 14 Jul 2017 11:01:58 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id l130so77497073oib.1 for <tls@ietf.org>; Fri, 14 Jul 2017 11:01:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomountain-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=kIxK4Bgr8SUC0vBrX/ga6x7nCdOipU066e0uMhA5ho8=; b=thzJk8i5Ypg7NTkTnK5oHY7pgHpLZG5b9QJL2o0YJuPO7/jmqIIjJZOlu6942QTZmq /3upyJnOe7scWYPy5uiw8VHcTyGahOlUmVl5r8i2seIdK6BuBlJ8Pl7N501km+mfFfn8 UpnBKCbOVgYYWNHCJCXyvxV3d6CFyrkK951nUMK+kaUPKzEOIqKHUO+GdEo5zeGl4Tgo 0OpwmhBfKT5jcCDIF8FIAWONIhwiUgXm97cEpCQVO0e8A5sXThLHc9+33PAFzF6zl3dS Eefq1qcYkEeR0YN2CZ4Y/BeNvjaGTlG1HPPY1V61CVyEuO3YCTWBZKxts57Gw3lI1Efp 0Tlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=kIxK4Bgr8SUC0vBrX/ga6x7nCdOipU066e0uMhA5ho8=; b=FBgt/vvOS/cJkIRxtiHtiZsXz2aCCJedZppCnT2fX8FqRHJ7+Ku0urMWV+UHldG2V2 vTdwNX0h2CEmzEFuBaf9exyYb+SbIeUObQ1eUV3+PvxrPtmQK69Wo8MmLyZ/ySG0sWAX 7DmhJX4edAbhqPRmVp5Xz2VWLUdIlqlHXbuCQM6Jpam5iyzm4P4eM6nJPWfqMok4+9YD BEA2UwjIztTCtTVHRpaxIc8PHsRsrkDeQNWcCmArk1Ql8cVer4cSghfSvPSbeig5ndbH xyAODSRa+B8zwJq4AZXN8KjbFjjUFz1tW8IwHofItSuF/KVxy60H0XFgE/GkQZZNbjGP UCVA==
X-Gm-Message-State: AIVw112Wcp9F9/IwHIZb784GF6dWOHUuxzmqeNS1G05gWN7qa1Vpuste 1GS5zQuIDOjnEjJQbQkCVA==
X-Received: by 10.202.242.213 with SMTP id q204mr1690882oih.88.1500055317247; Fri, 14 Jul 2017 11:01:57 -0700 (PDT)
Received: from Melindas-MacBook-Pro.local ([173.254.255.141]) by smtp.gmail.com with ESMTPSA id z81sm9517310oig.32.2017.07.14.11.01.55 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Jul 2017 11:01:56 -0700 (PDT)
To: tls@ietf.org
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <72BACCE6-CCB9-4DE9-84E6-0F942E8C7093@gmail.com>
From: Melinda Shore <melinda.shore@nomountain.net>
Message-ID: <a0a7b2ed-8017-9a54-fec0-6156c31bbbfa@nomountain.net>
Date: Fri, 14 Jul 2017 20:01:53 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <72BACCE6-CCB9-4DE9-84E6-0F942E8C7093@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8Rm1Dj583hQDCQ7UbWrqL2nUCJKlq5FQK"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/807k3sMisq9VxoOOyir-lSKwK40>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 18:01:59 -0000

On 7/14/17 6:45 PM, Yoav Nir wrote:
>> On 14 Jul 2017, at 18:35, Joseph Lorenzo Hall <joe@cdt.org>; wrote:
>> Just want to +1 the notion that this should be opt-in for both sides and in an extension!
> It’s a good notion, but “we have to change one side” usually wins over “we have to change both sides”

Something that demands a forklift upgrade of both/all sides at the
same time tends not to be deployed, ever (look at the history of
NAT/firewall traversal technologies in the IETF, as one example).

I'm basically in agreement with Stephen and Uri here but now that
I'm working for a company that's providing services I'm becoming
more aware of the real need for network monitoring.  It does need
to be discussed somewhere but I don't think that that discussion
needs to take place in the TLS working group in the context of this
one particular proposal.  There's more than one way to solve this
problem and while the fact that these folks want to keep solving
it basically the same way that they have in the past is interesting
but perhaps not as compelling as it could be.

It might make sense to kick it over to ops for a discussion with
people whose meat and potatoes is monitoring, management, and
measurement.  It needn't necessarily stay there but I think that
there are a bunch of options that need to be sorted through.  I
can't really see the static Diffie-Hellman proposal going anywhere
quickly, anyway, to be honest, so might as well use that time to
develop a fuller understanding of the potential solutions to the
problem.

Melinda