Re: [TLS] PR#1091: Changes to provide middlebox robustness

"Salz, Rich" <rsalz@akamai.com> Wed, 08 November 2017 00:32 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF43E129BF8 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 16:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhuSEdwWSpKZ for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 16:32:05 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6023B129BDD for <tls@ietf.org>; Tue, 7 Nov 2017 16:32:05 -0800 (PST)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vA80R1CO018801; Wed, 8 Nov 2017 00:32:03 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=/GUsAW61/W61TF1+rRvbDdzv/SUwQE/Dj6pWxIFCAGM=; b=BQriwS3PVK/wrs84BqOvTPNVLQJUlOhI2CvbXr7/WGkhpbO7USF5t9+MBSAyF2LEJZXk vH3r/HQqAe3d80i8o8Fjqn3ThNCMV1ilmlbwk8qld1Gg5oXmHCpMN9gCj4WRfDmdLOTj 0btpx1cDxO4ENp1HweGEPEVSKBmrsJ1FzraPE1IIHXKHBbma+ju57PtSE8U7S9/vdt4o wVv6G8kAqPfvqbv02YAR6+4IJNTX/Jw0GDyTpPYas3NXFk2xbRRZl3bsKoRYDn51nzSn c5BfGVY0K+740LsN3J3M5r9MLB4mvW80Ahd+lXW/4qPbUxb5bVSoW43zd9hiZXEnlOPH Rw==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050095.ppops.net-00190b01. with ESMTP id 2e15y5wds2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Nov 2017 00:32:02 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id vA80ValS025769; Tue, 7 Nov 2017 19:32:01 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2e18vubesq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 07 Nov 2017 19:32:01 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 7 Nov 2017 19:32:00 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Tue, 7 Nov 2017 19:32:00 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Martin Thomson <martin.thomson@gmail.com>, Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] PR#1091: Changes to provide middlebox robustness
Thread-Index: AQHTVyvYee7TW4xp9E6OP50HN76KZ6MJYqeAgAAba4CAAA8EgIAAJQeAgAAbmgCAABu7gIAABEUAgAAJuwA=
Date: Wed, 8 Nov 2017 00:32:00 +0000
Message-ID: <F871F4D8-3EF8-43F5-B45F-B8CC69D49386@akamai.com>
References: <CABcZeBNm4bEMx0L6Kx-v7R+Tog9WLXxQLwTwjutapRWWW_x9+w@mail.gmail.com> <4406543.RZChgRkkf9@pintsize.usersys.redhat.com> <CABcZeBOxEAVUAq6+cSD9P+e0VHvgJHvrgj6uENbvf9aWnZooKg@mail.gmail.com> <6818962.9GzJR6rN5C@pintsize.usersys.redhat.com> <965B995B-A5B3-4322-B13A-A2D82AFD2743@akamai.com> <CABkgnnWt4NYuGKOoCfH3x6oSHXbC90ubJM64ArYiNG+9qhXQWw@mail.gmail.com> <D517CEA4-AF57-4F87-9D66-4A2D0299ED17@akamai.com> <CABcZeBNkgO2efWJL4bNDqVnCVr9+Hpg_D+b8ebNukf=HpHnujA@mail.gmail.com>
In-Reply-To: <CABcZeBNkgO2efWJL4bNDqVnCVr9+Hpg_D+b8ebNukf=HpHnujA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.42.204]
Content-Type: multipart/alternative; boundary="_000_F871F4D83EF843F5B45FB8CC69D49386akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-11-07_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711080006
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-11-07_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711080004
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9UO-_KNG4klHwyJ6Wy4tSsHxjEg>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 00:32:07 -0000

➢ Given that we're almost there, and that only really browsers are
    asking for these hacks, and that even some of those were almost ready
    to ship without these hacks, I don't think that this is entirely
    unrealistic as an aspiration.

The Internet is more than just a couple of browser executables.

Does nobody think of the servers?


  *   I do, but I don't really see how they're relevant for this question. Don't the servers control the middleboxes they are behind?

The smiley got lost.  But smiley isn’t quite the right emoticon either.  But to answer your question: no, the often don’t.  And it’s not just the middleboxes they are behind, but all those along the way.

To say that only browsers were asking for these hacks is also a little disingenuous.  It was a self-selected design group (to be charitable) that mostly worked by themselves without the whole WG being involved.  I’m glad we seem to be ending up with something that works, with the only thing being lost is some nerd esthetics, but let’s not forget the (to me, disappointing) way the whole thing went down: a collaboration among, and only among, Google, Mozilla, and Facebook.