Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Ted Lemon <mellon@fugue.com> Tue, 24 October 2017 20:01 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90E91394FB for <tls@ietfa.amsl.com>; Tue, 24 Oct 2017 13:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-d3FQe-f0Ic for <tls@ietfa.amsl.com>; Tue, 24 Oct 2017 13:01:33 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D42137C4A for <tls@ietf.org>; Tue, 24 Oct 2017 13:01:33 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id x82so27843880qkb.12 for <tls@ietf.org>; Tue, 24 Oct 2017 13:01:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=/Nr/XbwP1DiYoUqRf4g9VuJIOzFzcCw9yLqGBPZL2es=; b=jKrOQjKzcLIrauIxpOc9nuibG4Wgtmf+j+LqHkxflr8eXHyYfaXZ89B6J0KYgUAusC XZHX+R1wGjUBsfKJIC4KIE5Ragmfw+FZjP7tpU9Z/PRqzaabRUJivwgjo5g0NAAsTYU8 ZmaPu1sNJVNSG4lXcEiAUN5GERqhylWQzj8jgxcIV+aPjCT4PUl7w70VfW4d92fZ8Km8 7dOzQzI8hLkdy84ygxC59P0qRl9reaAelkISTtu8ZIxWkLlCCtwn8r7knBp1mggLOlBM RBDnUOLlBGYUYlNtiT34iHQgXBbRtRiQVOmfuWcpaIMvbYCzdv2IWyeZ3C/R5Gw1ELnl hg4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/Nr/XbwP1DiYoUqRf4g9VuJIOzFzcCw9yLqGBPZL2es=; b=pu1YvzDD2ciuc6GUg++vVnemCRFAuFYK0Q90iag0P6cVvegLp5WjuHoy/DdoYJPbJd W7LsnaEJnQMF5Z7BUR+lcwWfNwqNWlhDdXV1iewes3fkJO8mo3vIiKl6ENRYYBqlgDNo tCzvqTnpaJ7cCvED15gilCOuGdVRUT8Mfb6cEvzcSOx3j/qH6xBjThmyMTj2x98uZyKa n9LTh8DOijCo6vTkj7PLC01mcv/ceMLpVD3AOodgkdm6vYTyyqPr/jSY4PvdV79coB0M i8CxeOGGaNh4NfJfccxlNZ9CHBfLMdTXQ3nlt6WenTfBRiWUAWA+HYqp0bqOzHH0a7Vu tYpQ==
X-Gm-Message-State: AMCzsaWUk2tDkRUmQy2b+qPDxk74bK1vTUfMpsTU+uoOBg7j4OqJIL47 xvUbWkGPb8Nj9rlhxEu5NlDnYA==
X-Google-Smtp-Source: ABhQp+RZBBfSBj4AY763KeboN+lvZcuHbOH+u0eEOtrBo+njGKLglbx6HL7JkAO0tJHK0q4RfRCVtQ==
X-Received: by 10.55.49.143 with SMTP id x137mr24483069qkx.138.1508875292180; Tue, 24 Oct 2017 13:01:32 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.nh.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id b18sm749919qkj.59.2017.10.24.13.01.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Oct 2017 13:01:31 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <88AB2AEF-D780-4A29-B9AE-6096CEBF2F7F@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_988D4FB4-C2E9-45A6-BB83-5F97FE6C6E0B"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 24 Oct 2017 16:01:30 -0400
In-Reply-To: <BC5ABCF3-E36D-47B0-8D9B-D554B29359CF@fugue.com>
Cc: "tls@ietf.org" <tls@ietf.org>
To: "David A. Cooper" <david.cooper@nist.gov>
References: <cde0e322-797c-56e8-8c8d-655248ed7974@nist.gov> <FB95CAC8-C967-4724-90FB-B7E609DADF45@akamai.com> <8A5E441B-90B7-4DF4-BD45-7A33C165691B@gmail.com> <3BA34D7B-BB04-4A1F-B18A-B0AC25402C4B@gmail.com> <0f9073f5-271b-a741-1a1e-f20ebc506d61@nist.gov> <BC5ABCF3-E36D-47B0-8D9B-D554B29359CF@fugue.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/H1mm_x0TGB02HBmvJ-DEJRvpZKE>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 20:01:35 -0000

On Oct 24, 2017, at 3:59 PM, Ted Lemon <mellon@fugue.com>; wrote:
> On Oct 24, 2017, at 3:54 PM, David A. Cooper <david.cooper@nist.gov <mailto:david.cooper@nist.gov>> wrote:
>> There are already middleboxes on the market today that do this. They work for all outgoing connections and don't require any cooperation whatsoever from the outside servers that the clients are trying to connect to, and only expert users would notice the presence of the MiTM.
> 
> They are also quite expensive because they have to generate certs on the fly.   If you look at environments where these are in use, they tend to be either high-margin, or else low-use.   So e.g. you only redirect TLS connections that you absolutely need to intercept through the box; other connections are terminated normally.   Practically speaking, I don't see any cash-strapped school spending money on one of these devices.

BTW, if you find this argument unconvincing, consider why these boxes aren't being proposed for use as an alternative to draft-rhrd-tls-tls13-visibility-00.   :)