Re: [TLS] draft-green-tls-static-dh-in-tls13-01

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hiya,

On 15/07/17 20:49, Roland Zink wrote:
> TLS is a two endpoint protocol. It looks like many of the use cases
> describe problems with more than two endpoints but are using TLS because
> it is commonly available. So should TLS be extended to be an n-party
> protocol (or is this always considered wiretapping?) or should be there
> another protocol or something else?

Yes, if one wants different semantics than TLS and needs an
entirely different interface for applications, (which all N>2
party protocols do need) then one needs to define a different
protocol that is not TLS.

Of course, that's impractical, so people will continue to
ignore the fact that they're doing bad engineering and will
come along now and then and try convince us to break TLS.

Cheers,
S.


> 
> 
> Regards,
> 
> Roland
> 
> 
> 
> Am 15.07.2017 um 19:34 schrieb Colm MacCárthaigh:
>>
>>
>> On Fri, Jul 14, 2017 at 11:12 PM, Daniel Kahn Gillmor
>> <dkg@fifthhorseman.net <mailto:dkg@fifthhorseman.net>> wrote:
>>
>>      * This proposed TLS variant is *never* acceptable for use on the
>>     public
>>        Internet.  At most it's acceptable only between two endpoints
>>     within
>>        a datacenter under a single zone of administrative control.
>>
>>
>>      * Forward secrecy is in general a valuable property for encrypted
>>        communications in transit.
>>
>>
>>     If there's anyone on the list who disagrees with the above two
>>     statements, please speak up!
>>
>>
>> I agree with the second statement, but I don't really follow the logic
>> of the first. On the public internet, it's increasingly common for
>> traffic to be MITMd in the form of a CDN. Many commenters here have
>> also responded "Just use proxies". I don't get how that's better.
>>
>> A proxy sees all of the plaintext, not just selected amounts. All of
>> the same coercion and compromise risks apply to a proxy too, but since
>> it undetectably sees everything,  that would seem objectively worse
>> from a security/privacy risk POV.
>> Or put another way: if these organizations need to occasionally
>> inspect plaintext, would I prefer that it's the kind of system where
>> they have to go pull a key from a store, and decrypt specific
>> ciphertexts on demand offline, or do I want them recording plaintext
>> *all* of the time inline? It seems utterly bizarre that we would
>> collectively favor the latter. We end up recommending the kinds of
>> systems that are an attacker's dream.
>>
>> Here's what I'd prefer:
>>
>>  * Don't allow static DH. In fact, forbid it, and recommend that
>> clients check for changing DH params.
>>  * For the pcap-folks, define an extension that exports the session
>> key or PMS, encrypted under another key. Make this part of the
>> post-handshake transcript.
>>  * pcap-folks can do what they want, but clients will know and can
>> issue security warnings if they desire. Forbiding static DH enforces
>> this mechanism, and we can collectively land in a better place than we
>> are today.
>>
>> -- 
>> Colm
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> 
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>