[TLS] Chair -Moderated: Fwd: Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)

Sean Turner <sean@sn3rd.com> Thu, 15 March 2018 11:24 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B6FEA128954 for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 04:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id S3vSq4epRxLU for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 04:24:10 -0700 (PDT)
Received: from mail-pl0-x22d.google.com (mail-pl0-x22d.google.com [IPv6:2607:f8b0:400e:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B7811270AB for <tls@ietf.org>; Thu, 15 Mar 2018 04:24:10 -0700 (PDT)
Received: by mail-pl0-x22d.google.com with SMTP id 9-v6so3532242ple.11 for <tls@ietf.org>; Thu, 15 Mar 2018 04:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:mime-version:subject:message-id:references:to:date; bh=CsiZBtZWxU05pILbtutNmovq5XheB0LsLCR/5n6zVfQ=; b=koVxUjKzpVHxZtvQ9Qt0KbU/kswuDS61oevv+l70C64ild6Mz63rw9X9AdtL4Q5r82 xdxcWBwDpAmFvD18lIf9HS0IuciOaxtNiB3sC8S8/whR+sBlbl1LboTK4nF7BR5V7Wuy K/Tlgnj6dc2D6K96vYGKc1NWXVDjWjFD2fjhs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:references :to:date; bh=CsiZBtZWxU05pILbtutNmovq5XheB0LsLCR/5n6zVfQ=; b=LFC7PFyGwTFQNqr84QCL242dzEFNj4/rbTXxHezuIjYV9tM//6/ycZoTim7a4sv8Lq +iz4jqqO/U7L8OD3vl/d3KiNG0BNHk4z3E1GOlBkqI6pOWkDlyidwPId/ACk+EmuhVZO eIsaO6w+mj2VYirZ3hM4+W4WQNSIcvlJZdi+HEy33dzV4JBsGzB7v/ezupJ1YUo/e6xv J+ymRCGPmcet+D8qy9n1Kh8gncXERNNsdkOWGAkYj3uRAXIRcn0HE06hzPGFqjWyLAmc nD8+UP1WdKKcbahCbMtwG5MchpCLWsuO/I3hnMGzrf8EC0fopJ3YMrOUbx8nLibfOQcN 2PAw==
X-Gm-Message-State: AElRT7Gu/YX1cZ9Y9OF+KUJiZZT3X4Aw7KwfGJbCT822hi7C/BWS9gy9 TmoZ/mhHjEx7fAFoZOees6R+k29CqPc=
X-Google-Smtp-Source: AG47ELsBh1a4eGtrU5WQO2vNikO4PL1qdB1FZ42g6VCdrHmFYAHjEGz5atEHyDWb1rwXxF5tolRzHQ==
X-Received: by 2002:a17:902:8bc1:: with SMTP id r1-v6mr5948505plo.315.1521113049850; Thu, 15 Mar 2018 04:24:09 -0700 (PDT)
Received: from ?IPv6:2a00:79e0:d:fd00:3436:5920:6f57:14f8? ([2a00:79e0:d:fd00:3436:5920:6f57:14f8]) by smtp.gmail.com with ESMTPSA id q24sm8624806pgn.74.2018. for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Mar 2018 04:24:09 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_45F2D826-D251-4874-9065-B073B393B78B"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <41A08E5D-CA29-4A66-AE53-356173E89EF1@sn3rd.com>
References: <CAEPpgVDXQRDDG5UwKxLvoYXBL7NFxtftjd=kFutgKxXd91mWaA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Date: Thu, 15 Mar 2018 11:24:06 +0000
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JnfXfw_vMCMpmCodT_P1CnYvG4Y>
Subject: [TLS] Chair -Moderated: Fwd: Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 11:24:12 -0000

I have placed this poster in the moderator queue based on RFC2418: Participation is by individual technical contributors, rather than by formal representatives of organizations [0].  They can rejoin using a personal account or identify who they are in their email’s signature.


[0] https://tools.ietf.org/rfcmarkup?doc=2418#section-1

> Begin forwarded message:
> From: Hot Middlebox <hot.middlebox@gmail.com>
> Subject: Re: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)
> Date: March 14, 2018 at 22:08:44 GMT
> To: "Salz, Rich" <rsalz@akamai.com>
> Cc: IETF TLS <tls@ietf.org>
> The requirements for visibility exist in an array of regulated environments worldwide.  It is one of the presentation areas in the Hot Middlebox Workshop.  http://www.etsi.org/etsi-security-week-2018/middlebox-security?tab=1 <http://www.etsi.org/etsi-security-week-2018/middlebox-security?tab=1>
> The Middlebox Hackathon site is also now public so everyone can experience how a browser plug-in client (to be provided) can be used in conjunction with a fine grained Middlebox Security Protocol for Middlebox discovery and controlled visibility by an end-user in a way that meets both user and regulatory interests.  The draft specification will be published in two weeks.
> --the Hot Middlebox organizers
> On Wed, Mar 14, 2018 at 9:42 AM, Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com>> wrote:
> >    So aside from enabling MitM, this also enables session resumption by
>     the decryption service, something that the security considerations
>     neglects to include in its list.
> So I think this is an important point.  I assume the authors did not realize this. That shows how hard, and risky, it is to get this right.  In the US, we have been having arguments where the national police force (FBI) is insisting that tech companies can create a "golden key" that only they can use, and the security people are saying it is impossible.  This seems like another instance, no?
> Oh heck, let me ask the uncomfortable question:  Russ, did you know this or was Martin's point new to you?
>         /r$
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls