Re: [TLS] chairs - please shutdown wiretapping discussion...

Eric Mill <eric@konklone.com> Sun, 09 July 2017 01:05 UTC

Return-Path: <eric@konklone.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0243A12F28C for <tls@ietfa.amsl.com>; Sat, 8 Jul 2017 18:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com header.b=PtjBLGWz; dkim=neutral reason="invalid (public key: not available)" header.d=konklone.com header.b=ij0ThdI9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UfbhMuDocuJ for <tls@ietfa.amsl.com>; Sat, 8 Jul 2017 18:05:24 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17CF212ECC4 for <tls@ietf.org>; Sat, 8 Jul 2017 18:05:23 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 1B165A0801 for <tls@ietf.org>; Sat, 8 Jul 2017 21:05:20 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=9VySzX6Rhr42sEtmV98ftNqmc+4=; b=PtjBLG Wz+LKAqOlNcKVz2dIb7k87E2lUmDLyuBtZ29Im14GlPdm6KxpDxRtnBdTEPZxVmK qrDMGQF9hwu3mwVyrqCZWq7WU+5CvP9/GXye1NbNAZc3do0O6Ajs7flExtcUWjGP rEMtu7vpKxneGp7MyJxfwEg8PBIjDQzWZrmYs=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 14154A0800 for <tls@ietf.org>; Sat, 8 Jul 2017 21:05:20 -0400 (EDT)
Received: from mail-yb0-f169.google.com (unknown [209.85.213.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 78C51A07FF for <tls@ietf.org>; Sat, 8 Jul 2017 21:05:19 -0400 (EDT)
Received: by mail-yb0-f169.google.com with SMTP id f194so19708127yba.3 for <tls@ietf.org>; Sat, 08 Jul 2017 18:05:19 -0700 (PDT)
X-Gm-Message-State: AIVw113nsb1bCQqppDjvjCz8wMK/37COOdlKE46SBQCaPi5Ui+medA80 Qg+glPyWcxWrafngZeIzwccs5W4yGg==
X-Received: by 10.37.215.72 with SMTP id o69mr663499ybg.41.1499562318728; Sat, 08 Jul 2017 18:05:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.60.199 with HTTP; Sat, 8 Jul 2017 18:04:38 -0700 (PDT)
In-Reply-To: <634dbf72eee14617a2359f2792d4aee0@venafi.com>
References: <b8baf87c-6648-96aa-4275-924fee07f774@cs.tcd.ie> <12b06aa3-f7dd-ab3e-fa4b-0f8e7ed7c6df@gmail.com> <216678f0-49df-dc88-1181-64a235033819@cs.tcd.ie> <634dbf72eee14617a2359f2792d4aee0@venafi.com>
From: Eric Mill <eric@konklone.com>
Date: Sat, 8 Jul 2017 21:04:38 -0400
X-Gmail-Original-Message-ID: <CANBOYLVKFhpWMCbyUhA-jsczJi1ve93pV8QSqrUPB8awhqvawg@mail.gmail.com>
Message-ID: <CANBOYLVKFhpWMCbyUhA-jsczJi1ve93pV8QSqrUPB8awhqvawg@mail.gmail.com>
To: Paul Turner <PAUL.TURNER@venafi.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Yaron Sheffer <yaronf.ietf@gmail.com>, tls chair <tls-chairs@tools.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114fd37c53a3080553d80ff7"
X-Pobox-Relay-ID: AD3B5F1E-6442-11E7-A680-61520C78B957-82875391!pb-smtp2.pobox.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=konklone.com; h=mime-version:in-reply-to:references:from:date:message-id:subject:to:cc:content-type; s=2016-12.pbsmtp; bh=9VySzX6Rhr42sEtmV98ftNqmc+4=; b=ij0ThdI9vKmPsFEskpd6Zxh1NvAUllI/QaV3WP+B2pwn9l3HRDK+skcO976yFL9QHQA2cvLHqL4Sr/+uCszS/s7efQqIVJ6Wll1wPxliTo6+FVGtGirpe1MruPmHgbcKu/TOm/qOnjr4agD7YsYwOFV14dNAx03idM8W2gzZ7XA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MHG2smTnxoZ4n3teW15jUC7M_Xw>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jul 2017 01:05:26 -0000

On Sat, Jul 8, 2017 at 11:31 AM, Paul Turner <PAUL.TURNER@venafi.com>; wrote:
>
> The Internet Draft describes the use of static (EC)DHE for traffic
> entirely inside enterprise networks and intends to clearly state that it
> should not be used for "information passed across the Internet". If we have
> not been clear enough on that in the document, please tell us how we can be
> more clear. Assuming that the document is clear on this point, it would not
> then apply to "wiretapping" as defined in RFC 2804 (as Russ mentioned in an
> earlier email).
>

The IETF's position as expressed in 2804 is on technologies that
"facilitate" wiretapping. What the RFC says the protocol is "intended for"
in layer 8 isn't as relevant as how the technology could easily be used,
once standardized.

The burden on the proposers should be to demonstrate that the technology
can *only* be used in the manner of its stated intent, even if the humans
involved were all hostile, or compelled to be hostile.

You have stated that there are alternatives by using proxies but enterprise
> organizations have stated this is not viable due to the complexity and
> scale of their network environments.


Not all statements are created equal. Stating that proxies can technically
fulfill this function is objective, and can be backed up in clear technical
detail.

Stating that proxies are not viable for enterprise organizations due to the
scale and complexity of their network environments is subjective, generally
not well-detailed, and much more open to skepticism.

The burden on the proposers should be to address this skepticism, and to
justify to the working group why enterprises that are large enough and
well-funded enough to have such vast and complex networks cannot invest in
upgrading those networks to an approach that doesn't rely on directly
weakening their own connection security and potentially the security of
others' through the unintended consequences of formalizing this RFC.


> Our collective objective is to increase the security of the Internet at
> large. As such, we have proposed this RFC in order to ensure that TLS 1.3
> is adopted as broadly as possible inside of enterprises, which is an
> important step in increasing security.


So is increasing the use of forward secret connections within enterprise
network environments. Why should the TLS WG accept the argument that legacy
approaches to monitoring enterprise networks are worth risking the
weakening of the product of years of hard work?

-- Eric


-----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Stephen Farrell
> Sent: Saturday, July 8, 2017 10:33
> To: Yaron Sheffer <yaronf.ietf@gmail.com>;; tls chair <
> tls-chairs@tools.ietf.org>;
> Cc: tls@ietf.org
> Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
>
>
>
> On 08/07/17 15:27, Yaron Sheffer wrote:
> > Hi Stephen,
> >
> > Like you, I am very unhappy with this draft, and would not support its
> > adoption as a WG draft. However I think that open discussion is in
> > general good, and that the best venue for discussion of this draft is
> > this mailing list. Even if some of this discussion devolves into
> > generic "are we pro or against wiretapping" questions.
>
> FWIW I believe that we have had that discussion about breaking tls over
> and over on this and other lists. I see no value in doing it yet again,
> even if the proximate cause is a new variation of the "here's a way to
> break tls" class of drafts. (Someday we should find someone who'd document
> all the broken break-tls ideas that have been rightly rejected over the
> years.)
>
> >
> > I don't think this is a significant distraction that could derail
> > (D)TLS, moreover, you will recall that in Chicago several new drafts
> > were adopted to the working group. So the WG does feel that TLS is in
> > good enough shape that we can spend some bandwidth on other things.
>
> Maybe I'm more easily distracted, at least by this topic;-)
>
> Anyway, I'm fine that it's for the chairs to figure that out.
>
> S.
>
>
> > Thanks,
> >
> >     Yaron
> >
> >
> > On 08/07/17 12:17, Stephen Farrell wrote:
> >> Sean/Joe,
> >>
> >> This is a request that you, as chairs, shut down the distracting
> >> wiretapping discussion, at least until DTLS1.3 is done.
> >>
> >> I have planned to spend time reading draft 21 and DTLS, but that
> >> won't happen if we keep having to fight off the latest attempts to
> >> break TLS. I'd not be surprised if I weren't the only one finding
> >> that distraction an irritating waste of time. Finishing
> >> TLS1.3 and getting DTLS1.3 on the way surely needs to not be
> >> constantly de-railed by these attempts to break TLS.
> >>
> >> Therefore I'd ask that you declare this discussion closed for at
> >> least that long (i.e until DTLS1.3 is done).
> >>
> >> I'd also ask that you not allocate agenda time for wiretapping in
> >> Prague.
> >>
> >> Thanks,
> >> S.
> >>
> >>
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>