Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Roland Zink <> Sat, 15 July 2017 19:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3634128990 for <>; Sat, 15 Jul 2017 12:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K1mBRs4ye4Fm for <>; Sat, 15 Jul 2017 12:49:39 -0700 (PDT)
Received: from ( [IPv6:2a01:238:20a:202:5300::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61B7E1270A7 for <>; Sat, 15 Jul 2017 12:49:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1500148177; l=7542; s=domk;; h=Content-Type:In-Reply-To:MIME-Version:Date:From:References:To: Subject; bh=tQvieZUgycHuq4b72SA4OC5z+FjEF6D24L+0ZdYbd/Y=; b=kBuYe4000P1rIbIzm6CAyB+zzl0ZKOTa4s3v4sle+BzXWRjjxm0RsPB8kP5fcRzyY1 rThNDMHRngF3nFXxIEEUr3C2Db7PZ9h2bpRVz2KFtJYUyy2ScP82H4e6fgeH2TuemH1u o3r6vdCdMqBY31zWvthnFMlIDAuOtLjMKNKjQ=
Received: from [] ( []) by (RZmta 41.1 DYNA|AUTH) with ESMTPSA id K02271t6FJnbqQ1 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for <>; Sat, 15 Jul 2017 21:49:37 +0200 (CEST)
References: <> <> <> <> <> <>
From: Roland Zink <>
Message-ID: <>
Date: Sat, 15 Jul 2017 21:49:38 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------5912835029BAEA893F7A1607"
Archived-At: <>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Jul 2017 19:49:42 -0000

TLS is a two endpoint protocol. It looks like many of the use cases 
describe problems with more than two endpoints but are using TLS because 
it is commonly available. So should TLS be extended to be an n-party 
protocol (or is this always considered wiretapping?) or should be there 
another protocol or something else?



Am 15.07.2017 um 19:34 schrieb Colm MacCárthaigh:
> On Fri, Jul 14, 2017 at 11:12 PM, Daniel Kahn Gillmor 
> < <>> wrote:
>      * This proposed TLS variant is *never* acceptable for use on the
>     public
>        Internet.  At most it's acceptable only between two endpoints
>     within
>        a datacenter under a single zone of administrative control.
>      * Forward secrecy is in general a valuable property for encrypted
>        communications in transit.
>     If there's anyone on the list who disagrees with the above two
>     statements, please speak up!
> I agree with the second statement, but I don't really follow the logic 
> of the first. On the public internet, it's increasingly common for 
> traffic to be MITMd in the form of a CDN. Many commenters here have 
> also responded "Just use proxies". I don't get how that's better.
> A proxy sees all of the plaintext, not just selected amounts. All of 
> the same coercion and compromise risks apply to a proxy too, but since 
> it undetectably sees everything,  that would seem objectively worse 
> from a security/privacy risk POV.
> Or put another way: if these organizations need to occasionally 
> inspect plaintext, would I prefer that it's the kind of system where 
> they have to go pull a key from a store, and decrypt specific 
> ciphertexts on demand offline, or do I want them recording plaintext 
> *all* of the time inline? It seems utterly bizarre that we would 
> collectively favor the latter. We end up recommending the kinds of 
> systems that are an attacker's dream.
> Here's what I'd prefer:
>  * Don't allow static DH. In fact, forbid it, and recommend that 
> clients check for changing DH params.
>  * For the pcap-folks, define an extension that exports the session 
> key or PMS, encrypted under another key. Make this part of the 
> post-handshake transcript.
>  * pcap-folks can do what they want, but clients will know and can 
> issue security warnings if they desire. Forbiding static DH enforces 
> this mechanism, and we can collectively land in a better place than we 
> are today.
> -- 
> Colm
> _______________________________________________
> TLS mailing list