Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Russ Housley <housley@vigilsec.com> Fri, 07 July 2017 17:39 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09D6D1317A9 for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 10:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXaIPb5MqQhV for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 10:39:46 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DEE512700F for <tls@ietf.org>; Fri, 7 Jul 2017 10:39:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B6D82300563 for <tls@ietf.org>; Fri, 7 Jul 2017 13:39:45 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 5Ayu2AAAf2LE for <tls@ietf.org>; Fri, 7 Jul 2017 13:39:44 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 85760300250; Fri, 7 Jul 2017 13:39:44 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CACsn0cnP-WSKiU4vkHK4947DWCLgF+_9XB6i0tkSVpZ5MOKUmw@mail.gmail.com>
Date: Fri, 07 Jul 2017 13:39:43 -0400
Cc: IETF TLS <tls@ietf.org>, Matthew Green <matthewdgreen@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EAEC799C-4323-4C15-9BB1-32E195024DFD@vigilsec.com>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CY4PR14MB1368937FF0CF489ABD97E2C4D7AA0@CY4PR14MB1368.namprd14.prod.outlook.com> <CACsn0cnP-WSKiU4vkHK4947DWCLgF+_9XB6i0tkSVpZ5MOKUmw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MpGm2y4Jo2uwkL6sxJmeF97bB_w>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 17:39:48 -0000

Watson:

>> This document is extremely well written and describes the needs of
>> enterprises well,  IMHO.    I believe and have heard,  there are similar
>> needs beyond the enterprise realm,  but since we are the only ones formally
>> expressing concerns, so be it.
> 
> Why does the IETF need to be involved, given this solution exists?

I would like there to be one way for the key manager to load the non-ephemeral key into the server and the authorized decrypt parties.  Without an RFC, I fear there will be many ways that this is handled, with varying levels of security.

Russ