Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Ted Lemon <mellon@fugue.com> Tue, 24 October 2017 19:59 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1362813F83B for <tls@ietfa.amsl.com>; Tue, 24 Oct 2017 12:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZonE4OVArQt6 for <tls@ietfa.amsl.com>; Tue, 24 Oct 2017 12:59:20 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27C113968C for <tls@ietf.org>; Tue, 24 Oct 2017 12:59:19 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id h4so32023605qtk.8 for <tls@ietf.org>; Tue, 24 Oct 2017 12:59:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=9Ss5xs/0vqmhSwAI0nlKxlGIaY2pAoWAQY9vAwhxo48=; b=v7q2KLz4RQPt4yyIJl5WjAI9UMBVrpctxv1VnZURAApnXpIt+nfSsc6V/2ElNWqdLE sRy6FT/YLreJGDMluYxAPkl4VwFGYD2J8om7od1pbuJUnNWC8U7gur252VpJ37mBiskI 87QpBwrjHTBon538LPNFCE1/9CgOAIsvjaJ/V5KI3vr5Xm8BtDkVzjritKe8eFYb/nF9 Qa0MrjIHIKwOi7gimfy008ttS9zoxDHN2d07jsfwl9VG4WmFQuOEmono4Nl6O9gl1auS OqF43YcTrrXXTCr9S7QucsbfodS1GLyStisQPgdsPMswkRjNoUtxpChBbOPcEBuq0zAf dPKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=9Ss5xs/0vqmhSwAI0nlKxlGIaY2pAoWAQY9vAwhxo48=; b=Zx5Qe3yclA9gFWK0W1qMloIf4nBKNCkbro+RBRQpeABfpJgrEVaNTV8GKdoGopNuXc IAPzOFubS0Bfiuiy7sUdRDCRY0B9W/tsoGSen6WLYMo0mVsi2O3Ph7VTh01ujLg+sYo5 00QsOsy68XVsrh92NlJGrBshH5ZxhM2aeadZ0Xd8MyqjYUkyg+zA7Pmma9YaC5NurQ9m EOYr9XrNaUZWHKd5n+PXldpeVJ/YrJizhZr0Y65w3oKaGsr589bnQMNblnnAHoUM9n1B z8SH3kNsXNgJgDQKa2VyiQJ4dC9Bht8sBMfLof36dDdQxcwAMiPUnHBwZ6tS1K7eN41p W9qw==
X-Gm-Message-State: AMCzsaUtFLzLf674OSkW682Ymt/vf5WvuCtbro9rgpvMTUaBXdEF0qp7 4cYl4VzsIA/PIPtCZbg+g0I8RA==
X-Google-Smtp-Source: ABhQp+Q/9rGuFYjDnna29I5O1oEpMYC9fE8kvGi0lPsXglAL8aeaQsKx1H1mRFzYPr5xjuMcdP+Bqg==
X-Received: by 10.237.59.198 with SMTP id s6mr27479370qte.281.1508875158831; Tue, 24 Oct 2017 12:59:18 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.nh.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id s6sm714327qkd.55.2017.10.24.12.59.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Oct 2017 12:59:18 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <BC5ABCF3-E36D-47B0-8D9B-D554B29359CF@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B13369A6-9D9D-4299-ADC6-BFE127B25D95"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 24 Oct 2017 15:59:17 -0400
In-Reply-To: <0f9073f5-271b-a741-1a1e-f20ebc506d61@nist.gov>
Cc: "tls@ietf.org" <tls@ietf.org>
To: "David A. Cooper" <david.cooper@nist.gov>
References: <cde0e322-797c-56e8-8c8d-655248ed7974@nist.gov> <FB95CAC8-C967-4724-90FB-B7E609DADF45@akamai.com> <8A5E441B-90B7-4DF4-BD45-7A33C165691B@gmail.com> <3BA34D7B-BB04-4A1F-B18A-B0AC25402C4B@gmail.com> <0f9073f5-271b-a741-1a1e-f20ebc506d61@nist.gov>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KqeDh_odDWNsPNu6iGmzwYiUFOg>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 19:59:21 -0000

On Oct 24, 2017, at 3:54 PM, David A. Cooper <david.cooper@nist.gov>; wrote:
> There are already middleboxes on the market today that do this. They work for all outgoing connections and don't require any cooperation whatsoever from the outside servers that the clients are trying to connect to, and only expert users would notice the presence of the MiTM.

They are also quite expensive because they have to generate certs on the fly.   If you look at environments where these are in use, they tend to be either high-margin, or else low-use.   So e.g. you only redirect TLS connections that you absolutely need to intercept through the box; other connections are terminated normally.   Practically speaking, I don't see any cash-strapped school spending money on one of these devices.