IETF Logo Mail Archive

Re: [TLS] Is there a way forward after today's hum?

Ted Lemon <mellon@fugue.com> Fri, 21 July 2017 10:16 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF0A2129B7F for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 03:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI_bicHHUZcy for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 03:15:59 -0700 (PDT)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13F14127869 for <tls@ietf.org>; Fri, 21 Jul 2017 03:15:59 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id 125so26974729pgi.3 for <tls@ietf.org>; Fri, 21 Jul 2017 03:15:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=amUK3QOtAU8UoyE78Ef3wgkkhFfkyCw+L/4ikdxKdlA=; b=d53VPS6cZElAN/OHN06T2+bfzTTpjmPLWiCf5HA/R1hmkIdRCxZy/9PAnIHXoyzJrq KteJrnKI5JrtSd8zWm2/7EqtCgf8IuoHkIVbBgQfNu4GjOIv21gG9f07bDYFkBHJOHpL CmXAiUZk9eV8+io+2X1HQAvvYObKxh52h51w7eF1aZvay0PM7kyUAc/7Ljzio3r9W3Wg JEsXkvNmCjVuEHEdLsXqi7Y4qkcd3xNBZ+51cUXPCyWXG+Gqc3B2kStglnCZYAbHfkEB jeigAlwS2t+3Nzi9QxaJd3QR4m3CDJxA+vIJ56HAvl1yciWJs13F2N19m4z00Ql82vGG P18A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=amUK3QOtAU8UoyE78Ef3wgkkhFfkyCw+L/4ikdxKdlA=; b=cLU4yy4UdY8cw4PSMrMQmeCO6bbwSpSWsvxPiXljHj2T86PjIPEI4Md+RwfIs8wXp3 so78LGziycaxwR4h7SXz7W8f5RuDM8f88HGOfK0CekkSC525BNSNz0btE/eXT3X2pS6G Yu3+Uz4AKiXhu8SvfszXMILe5F0GGGWYIQUdX5zl3+qNHy9w0LAc0OKtgteMMMLq1GPr SBr47DSpCGTwMbJn9d6ToCCIiXJziyUysbSpp+QmDFVlLUzt5b5disvad/9okjKRi2i/ hso72zhozLfxIkddop5ZniHcCtXXhagXRWucq/70ONpKtUV2R21IYNVjgaCPtDZI0VUZ TuLg==
X-Gm-Message-State: AIVw110jO/LF5KIEnFMAAbQeYFY723bcjhOhn+eYDxvvJ48r5AH8Ryvq gjqp8GSjkLFHt3JS8DRtvxSn8yLAZN11
X-Received: by 10.98.18.69 with SMTP id a66mr7088103pfj.33.1500632158644; Fri, 21 Jul 2017 03:15:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.181.130 with HTTP; Fri, 21 Jul 2017 03:15:18 -0700 (PDT)
In-Reply-To: <CY4PR14MB13688CC2BB22F6CC44452615D7A40@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <E6D7DDCD-FDE6-4784-ACE8-0F5AC8E2CEDF@vigilsec.com> <CAPt1N1ka=vuoZMB58LXfkJ_qafohf08WeoUs2y4kaCxBtCx29Q@mail.gmail.com> <EEBF938A-234C-43E3-B058-4AE443C66EF0@vigilsec.com> <EF9F84E0-2C71-4A73-989E-1EC6B86861ED@gmail.com> <CA+cU71kM-u4JxJU8_9ogK0MbnNcy=y5-y-5FzkL8TEV_JaAK8Q@mail.gmail.com> <CAPt1N1k7KveaKufWzRceqezpTFsAoEGxG_fKymtjQJ1iU9UVtA@mail.gmail.com> <CY4PR14MB13688CC2BB22F6CC44452615D7A40@CY4PR14MB1368.namprd14.prod.outlook.com>
From: Ted Lemon <mellon@fugue.com>
Date: Fri, 21 Jul 2017 12:15:18 +0200
Message-ID: <CAPt1N1kES=9_pS6jvvoZV8Y0KdRjzQZnsB5r+Spq5Y2D4Q7zHQ@mail.gmail.com>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
Cc: Tom Ritter <tom@ritter.vg>, IETF TLS <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1145b83ac1405c0554d126f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Flksj9TvVh90yhBArK80Em8VtZU>
Subject: Re: [TLS] Is there a way forward after today's hum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 10:16:02 -0000

As I said in the previous message, the 3270 was the original web browser.
What I mean by that is that the 3270 transaction model is basically a
primitive version of http: you throw up a page, the user enters some data,
then the user hits send and all the data goes to the server at once.   The
reason the 3270 is no longer widely used is because it's been replaced by
web browsers.

Mentioning that in passing probably made my message less clear; the point
is that the 3270<->mainframe model of operation comes with very different
assumptions than the web browser<->service provider model, and one of the
problems you have is that what you are doing is really the former and not
the latter.


On Fri, Jul 21, 2017 at 12:00 PM, Ackermann, Michael <MAckermann@bcbsm.com>
wrote:

> Ted
>
> You may be aware that most enterprises have been migrating away from 3270
> for 20 years or more.  Very little still exists.      What little does
> exist is usually implemented via tn3270.   In the browser scenario you
> describe I would expect the Server side to be a tn3270 server,  but you
> will have to fill in the details of the use case you are describing,  to be
> sure.
>
>
>
> I hope the above helps,  but my real question is why would this be special
> or even relevant to the TLS1.3 discussion.
>
>
>
> Attempting to address specific applications or implementations would seem
> only add confusion IMHO.
>
>
>
> Thanks
>
>
>
> Mike
>
>
>
>
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *Ted Lemon
> *Sent:* Thursday, July 20, 2017 10:48 AM
> *To:* Tom Ritter <tom@ritter.vg>
> *Cc:* IETF TLS <tls@ietf.org>
> *Subject:* Re: [TLS] Is there a way forward after today's hum?
>
>
>
> The problem is that one of the applications for web browsers is as a
> replacement for 3270s (the first web browser).   That use case is said to
> require this functionality.
>
>
>
> On Thu, Jul 20, 2017 at 4:43 PM, Tom Ritter <tom@ritter.vg> wrote:
>
> On 20 July 2017 at 01:53, Yoav Nir <ynir.ietf@gmail.com> wrote:
> >
> > On 20 Jul 2017, at 8:01, Russ Housley <housley@vigilsec.com> wrote:
> >
> > Ted, if we use a new extension, then the server cannot include it unless
> the
> > client offered it first.  I am thinking of an approach where the server
> > would include information needed by the decryptor in the response.  So,
> if
> > the client did not offer the extension, it would be a TLS protocol
> violation
> > for the server to include it.
> >
> >
> > So we also add an alert called “key-export-needed” in case the client
> does
> > not include it.
> >
> > That way a browser (as an example) can show the user why the connection
> was
> > broken (“server requires wiretapping to be enabled. Go to about:config if
> > that is OK and change the allow-wiretap setting to True”)
>
> I previously expressed that I could support the extension mechanism -
> I'm sympathetic to regulatory requirements and unhappy with, although
> understanding of, what has become the 'standard mechanism' (breaking
> crypto) to achieve them. I've looked at more than one 'end to end'
> encrypted messenger that tosses in the 'third end' of key escrow.
>
> But to suggest such a mechanism might ever be implemented in a web
> browser throws my hackles up. The discussion has always been about
> datacenter - the people concerned say "We don't want your datacenter
> stuff in our protocol and the proponents say "No really, we only care
> about the datacenter."
>
> The concerns around some future government-mandated key escrow is very
> real and very concerning.
>
> -tom
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>
> The information contained in this communication is highly confidential and
> is intended solely for the use of the individual(s) to whom this
> communication is directed. If you are not the intended recipient, you are
> hereby notified that any viewing, copying, disclosure or distribution of
> this information is prohibited. Please notify the sender, by electronic
> mail or telephone, of any unintended receipt and delete the original
> message without making any copies.
>
> Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
> nonprofit corporations and independent licensees of the Blue Cross and Blue
> Shield Association.
>

v2.23.0 | Report a Bug | By Email