IETF Logo Mail Archive

[TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks

"Salz, Rich" <rsalz@akamai.com> Mon, 22 July 2024 23:06 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 698A0C1DFD30; Mon, 22 Jul 2024 16:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.25
X-Spam-Level:
X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id omH4h1JIBF1p; Mon, 22 Jul 2024 16:06:28 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 759F2C1DA1C7; Mon, 22 Jul 2024 16:06:28 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.18.1.2/8.18.1.2) with ESMTP id 46MML3JV024028; Tue, 23 Jul 2024 00:06:27 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=jan2016.eng; bh=cPal6SEYwFU19oSEX1wgis dM+nll68Gr9DL49Hy9Hzg=; b=hx1O62c9IxJS16m3VVL5RN2ov3lJV9QvDsITcq QS2tL3jiyYGSwA5mMs0QrrQrEq7Pqy45V7Gk1TTYkDEnhMpwF5o64TAFu6Y1RSVy ZdGkUl/sd31rsNJ2BBFYHWmjboWamWmAbdYHsvareuL0RRGVsSj2V0WfqvJagns+ OgdLk7GcT6WBVKu4OLKWkPF10VBiGH9EUKqc+erLbW6j3c0bw2Y1+XyLogqtLBoF y9dOphVYouYdQVZlwSVgOKyeGmElSrG16bA/NnGdc9N5X/bvMz2ys//tbhDq/UeV L4kIh7O6K8N0UrQ+SYadFknX5bkzASF7i12icSa8wSX+c+5Q==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by m0050095.ppops.net-00190b01. (PPS) with ESMTPS id 40g4s9n4vw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Jul 2024 00:06:27 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 46MIIMpd031554; Mon, 22 Jul 2024 19:06:25 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.207]) by prod-mail-ppoint1.akamai.com (PPS) with ESMTPS id 40g8k092nu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 22 Jul 2024 19:06:25 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb8.msg.corp.akamai.com (172.27.50.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 22 Jul 2024 16:06:24 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1258.034; Mon, 22 Jul 2024 16:06:24 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
Thread-Index: AQHa2klWWHyBMcM1SEaMEQwnm/4pk7H/VWiAgAAIcYD//9GWAIAATvcAgACLq4CAAANtgIAAVx0AgALJ2ICAAEE0gIAAAYMAgAAKz4CAAAbDgIAAB7GAgAAQ/ACAAC8lAP//yrSA
Date: Mon, 22 Jul 2024 23:06:24 +0000
Message-ID: <A4DA0C3B-5ED3-4A2B-8CAE-B0B1ED862F29@akamai.com>
References: <CACsn0cmhsh-zeJOaa7xy_2crxgvhAF=nK9FqWxxf1dB2SMhMyQ@mail.gmail.com> <Zpu0reBpH3dtFYdf@LK-Perkele-VII2.locald> <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com> <CAF8qwaB3VuWSYTi-gH99+N_cgi1ZAdMpzhrSE4=KTD5xbQMwXA@mail.gmail.com> <CADQzZqtyCQwQR2WPrBdqGGUm_tvZ7Akra5z9vqJ30x9vWBtxew@mail.gmail.com> <CAF8qwaDt-vhUb-E48874QLKe-YOc3xzC4VsArzYf_BGREz0+QQ@mail.gmail.com> <CADQzZqvw0Phv1oa--C6HSZJpKkG899v36g-xXrwyiKpM8cyYJw@mail.gmail.com> <254e0d54-7438-4666-8a0b-1ddf431e65d4@dennis-jackson.uk> <CADQzZqupwoqLbJNEU4RgA+G983_a34g-MmHsJN=XZygjLtDUkw@mail.gmail.com> <5f23bc91-b0a4-4ba4-add8-e920ca9c7784@dennis-jackson.uk> <Zp6y2ImjHI1R0oy6@LK-Perkele-VII2.locald> <5a942952-09e1-4aab-b321-cb05ea9c9528@dennis-jackson.uk>
In-Reply-To: <5a942952-09e1-4aab-b321-cb05ea9c9528@dennis-jackson.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.87.24071426
x-originating-ip: [172.27.118.139]
Content-Type: multipart/alternative; boundary="_000_A4DA0C3B5ED34A2B8CAEB0B1ED862F29akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-22_16,2024-07-22_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=489 spamscore=0 phishscore=0 suspectscore=0 malwarescore=0 mlxscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000 definitions=main-2407220171
X-Proofpoint-GUID: Igq54XlmORFrAk8azF4QFSqL92_Bc5ec
X-Proofpoint-ORIG-GUID: Igq54XlmORFrAk8azF4QFSqL92_Bc5ec
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-22_16,2024-07-22_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 priorityscore=1501 spamscore=0 mlxlogscore=327 impostorscore=0 malwarescore=0 suspectscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2407220172
Message-ID-Hash: GE4UQCI6KNTRX3MKANPQYUYUG5B3PJVC
X-Message-ID-Hash: GE4UQCI6KNTRX3MKANPQYUYUG5B3PJVC
X-MailFrom: rsalz@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NV61UzH3JunyuSwG8UgepaIeApQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I agree adding a new API for T.E. which applications could opt in to would be fine. But could T.E. ever be enabled by default without breaking the existing API and requiring application changes?

Yes it could. For example, you’d have to add meta-data identifying the ‘directory of certs’ that are typically used so that it could become a named trust store. Assume that’s a fixed filename, like “trust-store-id.txt” or something. Then when you specify that directory (e.g., via [1]) it could look for the fixed filename and send that identifying information.

Of course there are many ways in OpenSSL to specify how you want to trust things, but at least you’d have a migration path.

[1] https://www.openssl.org/docs/man3.0/man3/SSL_CTX_load_verify_locations.html

v2.37.1 | Report a Bug | By Email | System Status