[TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks

Dennis Jackson <ietf@dennis-jackson.uk> Tue, 23 July 2024 17:09 UTC

Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1228FC14CF1E for <tls@ietfa.amsl.com>; Tue, 23 Jul 2024 10:09:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zois5-8QjubV for <tls@ietfa.amsl.com>; Tue, 23 Jul 2024 10:09:16 -0700 (PDT)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D1A1C14CF18 for <tls@ietf.org>; Tue, 23 Jul 2024 10:09:15 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4WT3XV1xJNz9sTv for <tls@ietf.org>; Tue, 23 Jul 2024 19:09:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1721754554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dz68hvR9taGvuMOS0bfUwvBFmqQ8OzXenEKkT3FS2M0=; b=dS8UgwEE5K53Nn9+qjJ9/oF8dQUUAPPDo/DrqRVazDnYyfWHf2mUwfxyLmmSAHIRm6kvDo MnsvbCPS3WPVBmRBhmFqmFtzpWuRaoAXcGOGZSEXJPUW7Zxp78rWu/sT6K7Rlt0sEBv7IM SSBd4H+SwS8Y4Mad12lE6dv57UHiAhkY80obfIrn32okiuAKCCaaGWdxuLwFroYitCUldp 5OWBcoc3ab93o9kv/ZZoZnq7Mqn1jVL8yEcnamvUO7oqiEJb0mIZrR1C7vdR3HtyIqK+H6 G++IX8o8Kr01uTbfv2mIFhhBjpk4KsesY3KMCFkv13AZUQ/rMksG9f7+w43RpA==
Content-Type: multipart/alternative; boundary="------------bvwJduS81w07H2YzllnPkXvO"
Message-ID: <d43b40bd-e2b9-494c-ad8f-d8438247e61f@dennis-jackson.uk>
Date: Tue, 23 Jul 2024 10:09:11 -0700
MIME-Version: 1.0
From: Dennis Jackson <ietf@dennis-jackson.uk>
To: TLS List <tls@ietf.org>
References: <CACsn0cmhsh-zeJOaa7xy_2crxgvhAF=nK9FqWxxf1dB2SMhMyQ@mail.gmail.com> <Zpu0reBpH3dtFYdf@LK-Perkele-VII2.locald> <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com> <CAF8qwaB3VuWSYTi-gH99+N_cgi1ZAdMpzhrSE4=KTD5xbQMwXA@mail.gmail.com> <CADQzZqtyCQwQR2WPrBdqGGUm_tvZ7Akra5z9vqJ30x9vWBtxew@mail.gmail.com> <CAF8qwaDt-vhUb-E48874QLKe-YOc3xzC4VsArzYf_BGREz0+QQ@mail.gmail.com> <CADQzZqvw0Phv1oa--C6HSZJpKkG899v36g-xXrwyiKpM8cyYJw@mail.gmail.com> <254e0d54-7438-4666-8a0b-1ddf431e65d4@dennis-jackson.uk> <CADQzZqupwoqLbJNEU4RgA+G983_a34g-MmHsJN=XZygjLtDUkw@mail.gmail.com> <5f23bc91-b0a4-4ba4-add8-e920ca9c7784@dennis-jackson.uk> <Zp6y2ImjHI1R0oy6@LK-Perkele-VII2.locald> <5a942952-09e1-4aab-b321-cb05ea9c9528@dennis-jackson.uk> <A4DA0C3B-5ED3-4A2B-8CAE-B0B1ED862F29@akamai.com> <d751b4c1-fef2-4bf8-a6a6-46d4801c8aef@dennis-jackson.uk> <B55CD6CF-8962-4FF9-9849-5A321976FB2D@akamai.com>
Content-Language: en-US
In-Reply-To: <B55CD6CF-8962-4FF9-9849-5A321976FB2D@akamai.com>
Message-ID-Hash: QWC2OVN6C3QAAD3VFJ22YOBJ4SXQI7PU
X-Message-ID-Hash: QWC2OVN6C3QAAD3VFJ22YOBJ4SXQI7PU
X-MailFrom: ietf@dennis-jackson.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FyEW8WeIifpkDfQQ0nmYTNlqr-Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I don't think its possible to go one API / method at a time. If we want 
to turn on a feature by default, it has to either be non-backwards 
compatible or not break any existing API.

This is a problem for Trust Expressions because exposing the TLS 
certificate to the application is a major part of pretty much all 
existing library APIs and the library doesn't know what the application 
is going to enforce (or expect) about those certificates. This makes it 
hard (impossible?) for Trust Expressions to accurately convey the 
application's policy or to be used to experiment with the certificate 
format.

Best,
Dennis

On 23/07/2024 09:41, Salz, Rich wrote:
>
> I agree that I didn’t provide a comprehensive answer, only that it was 
> possible, perhaps one API at a time.  So maybe that addresses many 
> legacy apps.
>
> But you are totally right that the surface area is MUCH bigger than that.
>