IETF Logo Mail Archive

Re: [TLS] Is there a way forward after today's hum?

"Ackermann, Michael" <MAckermann@bcbsm.com> Fri, 21 July 2017 10:00 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B5A129AA0 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 03:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id us6QQ1CWRmQP for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 03:00:38 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63592127869 for <tls@ietf.org>; Fri, 21 Jul 2017 03:00:37 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 57B27C0E98 for <tls@ietf.org>; Fri, 21 Jul 2017 05:00:37 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [12.107.172.81]) by mx.z120.zixworks.com (Proprietary) with SMTP id 9C064C0D5E; Fri, 21 Jul 2017 05:00:36 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 643AFFE054; Fri, 21 Jul 2017 06:00:36 -0400 (EDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2C795FE048; Fri, 21 Jul 2017 06:00:36 -0400 (EDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (unknown [216.32.180.179]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Fri, 21 Jul 2017 06:00:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CEde2N2Zf9Og7kLUiehkPB60U+jXQkZ4yo9JFdvsTek=; b=JZDDGNHFx7mTgbVlPk4AxSQ0J4TxWxoxvl96cLaed/34BgtOgixv7KpuDc8XglVqoZep5/vPEWuksb5XlpLsfPmdEaaQ4Gq4eeArlrB/WH74Bc6SWJvcqF4+l75tJb2UYWRYkRSnW/pgLW6ivs56BwHqOlRInIZ0b3jAvre4c6U=
Received: from CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) by CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Fri, 21 Jul 2017 10:00:34 +0000
Received: from CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) by CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) with mapi id 15.01.1261.024; Fri, 21 Jul 2017 10:00:34 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Ted Lemon <mellon@fugue.com>, Tom Ritter <tom@ritter.vg>
CC: IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] Is there a way forward after today's hum?
Thread-Index: AQHTALIHGHbk6fNWM0K8v0MY8OYdeqJbY6YAgADWGICAAA6rgIAAg1uAgAABQoCAAT7EEA==
Date: Fri, 21 Jul 2017 10:00:34 +0000
Message-ID: <CY4PR14MB13688CC2BB22F6CC44452615D7A40@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <E6D7DDCD-FDE6-4784-ACE8-0F5AC8E2CEDF@vigilsec.com> <CAPt1N1ka=vuoZMB58LXfkJ_qafohf08WeoUs2y4kaCxBtCx29Q@mail.gmail.com> <EEBF938A-234C-43E3-B058-4AE443C66EF0@vigilsec.com> <EF9F84E0-2C71-4A73-989E-1EC6B86861ED@gmail.com> <CA+cU71kM-u4JxJU8_9ogK0MbnNcy=y5-y-5FzkL8TEV_JaAK8Q@mail.gmail.com> <CAPt1N1k7KveaKufWzRceqezpTFsAoEGxG_fKymtjQJ1iU9UVtA@mail.gmail.com>
In-Reply-To: <CAPt1N1k7KveaKufWzRceqezpTFsAoEGxG_fKymtjQJ1iU9UVtA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [2001:67c:1232:144:3022:b590:1454:7e6d]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1368; 20:R1N2VnBfiCMk5JOVew38L1FTzWJtsRD3UO82GnUPegSuboORhsvh0UHgEmqI38AYoljOWu3fyZH6lqEyqiGvPxGzCjrirH6F/vdkcRHvrT5USoKchlW6GpLb5TBOrncv/6LmoXqpvNCjuxVW3q+8ZFuaOzQn1W0nX6jw+g1slQo=
x-ms-office365-filtering-correlation-id: 1946392e-bfad-4811-ba6b-08d4d01f544c
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR14MB1368;
x-ms-traffictypediagnostic: CY4PR14MB1368:
x-exchange-antispam-report-test: UriScan:(151999592597050)(158342451672863)(278428928389397)(26388249023172)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR14MB1368DD831D4A8142D1E5B7D0D7A40@CY4PR14MB1368.namprd14.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1368; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1368;
x-forefront-prvs: 0375972289
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39840400002)(39410400002)(39400400002)(199003)(189002)(377454003)(24454002)(74316002)(53936002)(5660300001)(236005)(38730400002)(6306002)(9686003)(33656002)(54896002)(97736004)(966005)(7696004)(106356001)(86362001)(478600001)(6506006)(101416001)(6436002)(6246003)(105586002)(99286003)(19609705001)(81166006)(8676002)(55016002)(2900100001)(14454004)(80792005)(68736007)(2906002)(606006)(81156014)(76176999)(50986999)(53546010)(54356999)(25786009)(4326008)(72206003)(93886004)(8936002)(189998001)(77096006)(6116002)(7736002)(3660700001)(790700001)(3280700002)(2950100002)(102836003)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1368; H:CY4PR14MB1368.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB13688CC2BB22F6CC44452615D7A40CY4PR14MB1368namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2017 10:00:34.2250 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1368
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: 3f0c6eab-b2ef-41e2-bcb3-f74ff101b594
X-VPM-MSG-ID: b1217ad9-b2da-45ee-b567-d2c775df1b8b
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GGIdd6Cx7pwOepSo-W52YFKBrns>
Subject: Re: [TLS] Is there a way forward after today's hum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 10:00:46 -0000

Ted
You may be aware that most enterprises have been migrating away from 3270 for 20 years or more.  Very little still exists.      What little does exist is usually implemented via tn3270.   In the browser scenario you describe I would expect the Server side to be a tn3270 server,  but you will have to fill in the details of the use case you are describing,  to be sure.

I hope the above helps,  but my real question is why would this be special or even relevant to the TLS1.3 discussion.

Attempting to address specific applications or implementations would seem only add confusion IMHO.

Thanks

Mike



From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Ted Lemon
Sent: Thursday, July 20, 2017 10:48 AM
To: Tom Ritter <tom@ritter.vg>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Is there a way forward after today's hum?

The problem is that one of the applications for web browsers is as a replacement for 3270s (the first web browser).   That use case is said to require this functionality.

On Thu, Jul 20, 2017 at 4:43 PM, Tom Ritter <tom@ritter.vg<mailto:tom@ritter.vg>> wrote:
On 20 July 2017 at 01:53, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> wrote:
>
> On 20 Jul 2017, at 8:01, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
>
> Ted, if we use a new extension, then the server cannot include it unless the
> client offered it first.  I am thinking of an approach where the server
> would include information needed by the decryptor in the response.  So, if
> the client did not offer the extension, it would be a TLS protocol violation
> for the server to include it.
>
>
> So we also add an alert called “key-export-needed” in case the client does
> not include it.
>
> That way a browser (as an example) can show the user why the connection was
> broken (“server requires wiretapping to be enabled. Go to about:config if
> that is OK and change the allow-wiretap setting to True”)

I previously expressed that I could support the extension mechanism -
I'm sympathetic to regulatory requirements and unhappy with, although
understanding of, what has become the 'standard mechanism' (breaking
crypto) to achieve them. I've looked at more than one 'end to end'
encrypted messenger that tosses in the 'third end' of key escrow.

But to suggest such a mechanism might ever be implemented in a web
browser throws my hackles up. The discussion has always been about
datacenter - the people concerned say "We don't want your datacenter
stuff in our protocol and the proponents say "No really, we only care
about the datacenter."

The concerns around some future government-mandated key escrow is very
real and very concerning.

-tom

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.

v2.23.0 | Report a Bug | By Email