Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 17 July 2017 17:37 UTC

Return-Path: <prvs=837199222b=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49111289B0 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 10:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vp1xAzZISsZ2 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 10:37:28 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id E3E1E131B1F for <tls@ietf.org>; Mon, 17 Jul 2017 10:37:22 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v6HHbLnr044341 for <tls@ietf.org>; Mon, 17 Jul 2017 13:37:21 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Thread-Index: AQHS9u8cSScAhmTiiEWvrRLNt+JsyqJKs/sAgAkO1QCAAPElgIAAA/YAgAC+XICAABt7AIAAPk+AgAAdB4CAAEOLgIAAN5MAgAAOtwCAAANWAIAAAROAgAACPICAAADAAIAB83sAgAADN4CAABV5AIAAAs+A///Lg4A=
Date: Mon, 17 Jul 2017 17:37:20 +0000
Message-ID: <455F19E0-F002-4146-A51B-0556FD3545AA@ll.mit.edu>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDeSv+T1ww5_nr6NPgg9k44j7y04tJWC=KeaJF7Gtt+TVQ@mail.gmail.com> <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie> <CAAF6GDeGKEBnUZZFXX0y0a2J2+sVg8VaHh-4H9bhN0Zzk-x9uA@mail.gmail.com> <6707e55d-63d3-01e2-4e98-5cc0644e29e0@cs.tcd.ie> <35f4c84c6505493d8035c0eaf8bf6047@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcq6_ML3yHSQTy-t5irYLS10VVzk_R+7nAUKqQpgcCkrQ@mail.gmail.com> <CAPt1N1m_Zi_2faa8KHcXnic4QjXCEDkwnf=RTbo-Crvh6nMC+g@mail.gmail.com> <CAAF6GDfmoFwQSHEF79AmSDBE6W6FwCu2=n-SU7sHipfsfVTeUg@mail.gmail.com> <a5ba6836cab6417c949d536f2a2542bb@usma1ex-dag1mb1.msg.corp.akamai.com> <52C47C57-DFCB-4378-8C7C-6D8A5AFF3075@arbor.net> <09C9DBF3-75F3-4B59-8522-7ED0D0BA3AD5@gmail.com> <8013b86e-fbaf-cbd2-8680-fae37b71ec39@akamai.com> <92CF1858-7589-457B-BD1A-C9F22B7FDB0A@arbor.net>
In-Reply-To: <92CF1858-7589-457B-BD1A-C9F22B7FDB0A@arbor.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.24.0.170702
x-originating-ip: [172.26.150.37]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3583143440_102241079"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-17_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707170281
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HPXTTymoSs05BBtYHcE2pPXBhEE>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 17:37:31 -0000

On 7/17/2017, 12:45, "TLS on behalf of Roland Dobbins" <tls-bounces@ietf.org on behalf of rdobbins@arbor.net>; wrote:

    On 17 Jul 2017, at 18:35, Benjamin Kaduk wrote:
    
    
    > it could easily be enabled accidentally on the Internet, or coercively 
    > required
    > of certain entities, e.g., by national security letter, once 
    > enablement
    > is just a configuration setting (as opposed to writing code)
    
    Yes, concur.
    
    > So, in order to have something that is verifiably opt-in by both
    > parties, it seems like it would have to be a ClientHello/ServerHello
    > extension (included in the transcript for the generated traffic keys)
    > where both sides commit that they are willing to exfiltrate keys to a
    > given named entity(ies) (whether that's by raw public key, certificate
    > name, etc., is quite flexible).
    
    I agree that the extension approach is something which is worthy of 
    exploration.

Great. Then we all are in agreement.