Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Kathleen Moriarty <> Tue, 24 October 2017 20:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B2E021394F2 for <>; Tue, 24 Oct 2017 13:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iy97iApDiFiR for <>; Tue, 24 Oct 2017 13:52:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 655F313F847 for <>; Tue, 24 Oct 2017 13:52:11 -0700 (PDT)
Received: by with SMTP id x7so20549516pfa.1 for <>; Tue, 24 Oct 2017 13:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uymaoYjw/1L1PKO0jRIMfHNoGljwZBxFJjim77slsc8=; b=K3VESr2sjBU4pdkNtDpO0efKdZxEOXyXA+1O2RX3eMd5wKn2XfZmv+vKl/4WSHm2o9 ZW70Cfuh2KCvokjzvlaT8K0JYvg1/VIRg6ErCdnWwFwqs0XxNXrae91ej0ZhgayPs+2u bJbf9rGf48Fp3pHmXtlZAUqYsQKF94AbyJRLzxpjtqQkGvfYH4WMsoQlNYkiLLwzNZe/ QF6ROWO662K/3MfgClIQMYZDoSiRB+QmhN5bfT3zJTbOCr0m3BReK/+U2PEWgASSxwTT yyoBV3Ol32CHgBa27/5eqv/dx/sFnlLho3bEjJonldrPqjf4PaE92lwRnIvBIsGtFUu/ 2sqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uymaoYjw/1L1PKO0jRIMfHNoGljwZBxFJjim77slsc8=; b=DRePHePtBuBv5mfUWEkRsY4RHhNV8lZ9Ut7vEAWnvx6RwTrTwDXXcWnQoGeAVxhCqW U2yHhXAP16Ck3jdUXgCCJB02bhshY/o60MfYPezF40zAxweWfPDV5jx6Ox6CCOpFk6lj 3+vNJgaofHSCC7XYMc86PS4udawxwVIMZAbISvblvh7nkFBMsx1nj+8idMXMDqkdXNmn w/9vg5pmBVt+RWXvglgSACe7JfTs0/smpSJ6+0PPPcf/rZh9Z6DZWVSzR39SSKX9rZHs LZ0GvFaDfWUuoEAkPuvdCIrZRhmDpe1MYvgIBSPaI8DXahU1n2HCmpaJWmWHa1LjL8Pv iyDw==
X-Gm-Message-State: AMCzsaUwxQuwCs10rGSvEtsrLiJ6OmSkEmHhdCIxRoHO9mMdgvvxm9Yl 2NmIEM0lQoMqzwfN8HTUQMifo+cALSCX0189hj8=
X-Google-Smtp-Source: ABhQp+QdDNsC/yuBlzOaqYpZqcp7RvXyEUi1wX6JOCKSWaX+orOplqBLHr8v1lelozuDwo0j4vsTBt9sUrUXWm6dUZU=
X-Received: by with SMTP id o1mr15472180pgr.75.1508878331003; Tue, 24 Oct 2017 13:52:11 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 24 Oct 2017 13:51:30 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
From: Kathleen Moriarty <>
Date: Tue, 24 Oct 2017 16:51:30 -0400
Message-ID: <>
To: Ted Lemon <>
Cc: "David A. Cooper" <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Oct 2017 20:52:15 -0000

On Tue, Oct 24, 2017 at 4:24 PM, Ted Lemon <>; wrote:
> On Oct 24, 2017, at 4:21 PM, David A. Cooper <>; wrote:
> I'm not suggesting that cash strapped schools would use one of these
> devices. I'm simply saying that such a solution would be simpler and far
> more effective than trying to use draft-rhrd-tls-tls13-visibility to snoop
> on outgoing traffic.
> Again, if that were true, then it would also be true that these devices
> would nicely solve the problem that draft-rhrd-tls-tls13-visibility solves.

These are two different problems and although you could use a proxy
solution inside a datacenter, it doesn't scale or make sense.  IMO,
David countered Yoav's clever scenario very well.

Now, the proponents are asking for alternatives to consider and a
serious look at their proposal.  Can we look at this request
constructively and provide a cohesive set of alternate solutions?

IPsec [1] might be possible, but requires a change in tooling for
intercepting traffic.  In hosted environments, it also could change
who is managing the encryption (TCP/application vs. IP layer).
I also received a comment that you could also tie in use of IPv6 and
label sessions with the IPsec approach and that makes sense.

What about the experimental drafts in TCPInc?  [2]
This provides opportunistically encrypted TCP, so you could MiTM it.

Are there other alternate solutions that have been discussed or should
be?  Maybe it would be helpful to list them out for comparison and
evaluation by those interested - not on list as that's off-topic.



> _______________________________________________
> TLS mailing list


Best regards,