Re: [TLS] Deployment ... Re: This working group has failed
Kyle Hamilton <aerowolf@gmail.com> Sun, 17 November 2013 20:43 UTC
Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 245BD11E929B for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 12:43:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.933
X-Spam-Level:
X-Spam-Status: No, score=-0.933 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIyuMBDv6RFi for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 12:43:35 -0800 (PST)
Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 9622E11E9299 for <tls@ietf.org>; Sun, 17 Nov 2013 12:43:23 -0800 (PST)
Received: by mail-we0-f169.google.com with SMTP id t60so460449wes.28 for <tls@ietf.org>; Sun, 17 Nov 2013 12:43:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nZhmPpyrp7xiN0aXAhsyYpnf/J/p44mpzxo+0T5SyqQ=; b=HVwoqgBwOD7NEUCTStsJJof8EdS4FUGdXiou631gG6hiDVvJ1sIypSTGhycIQeShjA E/wb/srCuRcdNrdRKD2pgSCcOP8Y/ezVACzLaJPB70yFYWr16Yf6aGT+5BWs4CYn5G9Z bkPldCvKqHpUckCa2BPuIY5IwetVSrXA567JE8kLKuVLuC5rRbE/kHyXFPg7IaS8pVZZ /oOaP1CUR795J+M7p/K94LfH2D2HwlOY0eHjB1mQ3ok6mJU+I7R/ylE18GW1AL1ewODL BoD/EhukK5KARt7fFclBca9Q6NPdsCUPupK0vZcsqnN8zQA20QQaE+lBOqn9Tvo9rsic cJkg==
MIME-Version: 1.0
X-Received: by 10.194.122.99 with SMTP id lr3mr13764458wjb.21.1384721002388; Sun, 17 Nov 2013 12:43:22 -0800 (PST)
Received: by 10.194.134.67 with HTTP; Sun, 17 Nov 2013 12:43:22 -0800 (PST)
Received: by 10.194.134.67 with HTTP; Sun, 17 Nov 2013 12:43:22 -0800 (PST)
In-Reply-To: <52874576.9000708@gmx.net>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net>
Date: Sun, 17 Nov 2013 12:43:22 -0800
Message-ID: <CAPMEXDbgp5+Gg6mkMWNrcOzmAbSpv3kjftGV0cjpqvMnRxpw=A@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="089e011779b575e36f04eb657b28"
Cc: tls@ietf.org
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 20:43:37 -0000
If the library were a drop-in replacement that didn't alter binary compatibility, it would be a simple matter to just drop it in, put a new config defaults and override file in place, and call it done. Unfortunately, C is not this easy. The application linking process is complex (particularly with OpenSSL's FIPScanister), and it's not getting any easier -- I love how simple it is to drop a new CLR assembly in place and have the environment simply pick up the changes, but that configurability comes at the price of having to use the CLR runtime. Perhaps something that would perform the same function as and overload/override the platform-native dynlib loading would help, then integrated into the security libraries that most need it, would help. I have found myself despising C and C++ and other compiled-to-native languages as a result of this kind of thing. I am not volunteering to create such, and frankly I wouldn't even know where to begin -- but standardizing dynamic library capabilities across most/all OSes would go a long way toward making security updates and new security capabilities much easier for administrators to deal with. -Kyle H On Nov 16, 2013 2:14 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> wrote: > Hi Watson, > > I understand your frustration and I wanted to pick up one point that you > raised, namely why does it take so long to get TLS versions and extensions > deployed. > > I had recently a chat with a friend, Thomas Schreck who works for the > Siemens CERT, and in the discussion about TLS I told him that he needs to > deploy TLS 1.2 inside the company. He responded to me that support for TLS > 1.2 has only been added to OpenSSL last year (which seems to be correct > when I check the change logs where the initial support has been added with > version 1.0.1). > > The TLS 1.2 spec was, however, finished in 2008. > > Having the code in the library is only the first step since then all the > applications that use the library also need to be updated (re-compliled at > least and shipped). Hard to say how long that takes and depends on the > application and the company. > > To be positive and constructive in the discussion I wonder what could be > done to improve the situation. > > Does the OpenSSL and the GnuTLS projects (and other projects) need more > contributors? > > Is there more awareness building needed to get companies to understand > what the different libraries provide and why they should use a particular > version? > > Where does the delay come from? > > Ciao > Hannes > > Am 16.11.13 05:53, schrieb Watson Ladd: > >> In the past decade there have been many attacks against TLS. >> With the exception of CRIME, not one of them relied on any results >> that were not known >> at the time the TLS 1.0 standard was being written. (See the citations >> for the RC4 paper to see this, or the infamous Rogaway email about AtE >> vs EtA). Every time this standards group has had a choice to make >> regarding cryptography, they have made the wrong one. Even AES-GCM got >> screwed up: nonces should be counters, but all implementations make >> them random, introducing an artificial birthday bound issue due to >> truncation in the standard. >> >> TLS is solving the deadest of dead problems in cryptography: using the >> PKI to establish a secure channel between two endpoints. Diffie and >> Hellman solved this in their paper. Were TLS to be submitted by an >> undergraduate as a solution to this problem it would earn an F. >> Implementers such as AGL are bypassing the WG, choosing to emit I-Ds >> and implementing and deploying because there is little to be gained >> from WG discussions. This is not necessarily a bad thing, but it does >> raise a question of whether what is good for Google is good for the >> Web as a whole. >> >> What problems would a hypothetical competition solve that TLS 1.2 >> hasn't already? Let's deal with real problems: TLS 1.2 is not getting >> deployed, RC4 is still out there, the handshake protocol takes too >> many round trips and is very hard to implement in an interoperable way >> due to options, all the implementations with modern cryptographic >> support have sucky APIs that make it impossible for ordinary >> developers to use correctly, etc. All of this I have said before as >> main priorities, but they are the biggest issues affecting us today. I >> propose that a chair (do we have one?) convene a meeting via IRC or in >> person at some convenient event to determine what problems should be >> priorities, and then we will address them. >> >> There are a few good points: I am glad to see that major vendors are >> represented on this list, and are generally willing to work together >> to insure interoperability and remove obstacles to improving internet >> security. I am also glad to see that we are acutely aware of the >> issues currently threatening the lives and property of internet users. >> >> Sincerely, >> Watson >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] This working group has failed Watson Ladd
- [TLS] Deployment ... Re: This working group has f… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Taylor Hornby
- Re: [TLS] This working group has failed SM
- Re: [TLS] This working group has failed Ralph Holz
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Yoav Nir
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] This working group has failed Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Mark Nottingham
- Re: [TLS] Deployment ... Re: This working group h… Kyle Hamilton
- Re: [TLS] Deployment ... Re: This working group h… Juho Vähä-Herttua
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Andrei Popov
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Geoffrey Keating
- Re: [TLS] Deployment ... Re: This working group h… Michael Staubermann
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Joshua Davies
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Kirils Solovjovs
- Re: [TLS] Deployment ... Re: This working group h… Andy Wilson
- Re: [TLS] Deployment ... Re: This working group h… Marsh Ray
- Re: [TLS] Deployment ... Re: This working group h… Ralf Skyper Kaiser
- Re: [TLS] Deployment ... Re: This working group h… Ben Laurie
- [TLS] TLS protocol version intolerance [Was: Re: … Ivan Ristić
- Re: [TLS] Deployment ... Re: This working group h… Zooko Wilcox-OHearn
- Re: [TLS] TLS protocol version intolerance [Was: … Michael Sweet
- Re: [TLS] TLS protocol version intolerance [Was: … Eric Rescorla
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- [TLS] multiple clients in one process (was: Re: D… Patrick Pelletier
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski
- Re: [TLS] multiple clients in one process (was: R… Daniel Kahn Gillmor
- Re: [TLS] multiple clients in one process (was: R… Nico Williams
- Re: [TLS] multiple clients in one process (was: R… Nikos Mavrogiannopoulos
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski