Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

"Eric Wang (ejwang)" <ejwang@cisco.com> Thu, 30 July 2020 04:47 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC013A0D0F; Wed, 29 Jul 2020 21:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hfoZNhb8; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=TgRtUZ5g
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30SmKAzTipgg; Wed, 29 Jul 2020 21:47:33 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EE1B3A0CEC; Wed, 29 Jul 2020 21:47:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6121; q=dns/txt; s=iport; t=1596084453; x=1597294053; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=k7DUGXikRz1CjmOmH3mUuGdqUb6Nyv5Y3og437aG+/s=; b=hfoZNhb8Vw8jhq2Z46TC9FucsNkP2rQlWIQS6QkWl41Q1mbq4LEdqEX/ rdV3q8oRV8DR56oTRoRgfp7pbUnqhYuEoXfcABzTEGaMVN8KO/qttIrjJ KlZAGJnBepG77pZ54oGpOj/1K/rMAJ8Q8QlVYR2pskYMBt2fmUJKOrXe2 s=;
IronPort-PHdr: 9a23:y2dFtxfaxe4ZF50Mwv6EoST+lGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaTAdfX7vtegKzXvrzuH2sa7sXJvHMDdclKUBkIwYUTkhc7CcGIQUv8MLbxbiM8EcgDMT0t/3yyPUVPXsqrYVrUry6+6DcIEVP+OBZ7YOPvFd2ag8G+zevn/ZrVbk1Bjya8ZrUnKhKwoE3Ru8AajJEkJLw2z07Co2BDfKJdwmY7KA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DKAQC4TyJf/4UNJK1gHAEBAQEBAQcBARIBAQQEAQGBeQQBAQsBgSIvIy4HgUcvLAqEK4NGA40qlBqEbIJTA1ULAQEBDAEBLQIEAQGETAIXgg0CJDcGDgIDAQELAQEFAQEBAgEGBG2FXAyFcgIEEgsGHQEBNwEPAgEIBDsDAgICMBQRAgQOBSKDBIF/TQMuAaROAoE5iGF2gTKDAQEBBYUUGIIOCYE4AYJug1+COoQFGoIAgTgMEIJNPoJcBIFcgxczgi2QDIIqPIZdnDwKgl+ZfwMen3StaYNWAgQCBAUCDgEBBYFpJIFXcBVlAYI+PhIXAg2OH4NxilZ0AjUCBgEHAQEDCXyPHAGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,413,1589241600"; d="scan'208,217";a="519305566"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jul 2020 04:47:32 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 06U4lWfn009010 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 30 Jul 2020 04:47:32 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 29 Jul 2020 23:47:32 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Jul 2020 00:47:31 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 29 Jul 2020 23:47:30 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eHMdNBRwwjgMjLWdNOM0DjcqUPM4/IninzaxLOk5FJVEP2JtKSC0WvNjh8GtHclrSLqKP/EbWkxcW7f6SfRNV/lIEzQAZmvstRtSJk4U1iaobaI3GhO7CyUyy3jCRhIg0G0RtQPPTzaRwRRkmFVr+YPgL2G7MEYyiCxJicGZ99NNSfjvpfujp4TAzSfPABIz+JRPhVMaU8F7mRP0UxgKTtXnP6gAbD5QBd90eB007p+B+zJOfurJGhbaarSRHS48ZbLX63Pc1k2AZ9jvLONsbEXQg9KUVA6NCtlSdm6INrpfKvBrzQf4JnhVirHuVEjnXhwfGB6BomL1LWBYzy37Tg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k7DUGXikRz1CjmOmH3mUuGdqUb6Nyv5Y3og437aG+/s=; b=WmqvsQyJXnaSnqwscDT/C8fOL4z+rjJxBvvcVFx/HMNUJSlR/XbkNDRYINKC2/v0xS2aUn5XunAfnOB2R8oJ/XkdS3w6/MpaJW19SO6qzTDseh288aAYYMZNoCLzJfx+yOdtif3QazlbEnLp2gDp3sT58uPOehxnJ7Vd+4Sdx7fGF3RzvnBwcImHGtOA8GelO9enScKgMKX+U640sgCUxAxg4ugpWALlLVXFGxY1vDP/HfQdT3it96kpAB7E9y15E8wfneNOBQqaiqglnQyhglaeDTpibso+/vV/GICcvdMAoRG05DUL6oQ48acGcX+wp15lrbI+jTt+UYAUbVOEkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k7DUGXikRz1CjmOmH3mUuGdqUb6Nyv5Y3og437aG+/s=; b=TgRtUZ5g0BAoYwNRRsuIHlbJ0l2s31nXYyOGgCHfxz5fGOnEuSg8K91KqPSy9gJsT3FsUJU/2ynvxDy3RcImdh2CllYsjYuN5+TYnum8MyCsSjmWfphn0r3Jsc0ECKtY0v+rS1YpagT2BCGV028TURUrV/xbDQjqxIaCc0v78x8=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BY5PR11MB3992.namprd11.prod.outlook.com (2603:10b6:a03:188::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.24; Thu, 30 Jul 2020 04:47:29 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870%6]) with mapi id 15.20.3216.033; Thu, 30 Jul 2020 04:47:29 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
CC: Eric Rescorla <ekr@rtfm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Ron Bonica <rbonica@juniper.net>, OPSEC <opsec@ietf.org>, Nick Harper <nharper@google.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Thread-Index: AQHWZglyZL4k1mJowUK66EYfa/DABqkfVLGAgAA4SQA=
Date: Thu, 30 Jul 2020 04:47:29 +0000
Message-ID: <16DCF5D7-CC18-4015-ADE1-D67A3EBAEDB5@cisco.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com> <34226646-93F3-4592-A972-A55B160D5B78@cisco.com> <CACdeXi+7oQgcg=-vFqxLnEFtg__6AehWXyE5ey8CBFiw9Vh8PQ@mail.gmail.com> <F40B9423-B0D5-4993-8A3D-D875C62951E4@cisco.com> <9e413fb1-da38-6a1f-8fca-a0dd5a6b6ebd@cs.tcd.ie> <CABcZeBNyFBaHfKf5JGXb7BBc+pcwkLoSx2wYA63AZs0O-WRtug@mail.gmail.com> <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie> <CABcZeBOfVxoyds+vntEs+7ttrVkd2ppEvX+TdshS=AxA3kUQ7Q@mail.gmail.com> <3AC7B7C6-E616-40DA-95A3-A8DE7927E17F@akamai.com>
In-Reply-To: <3AC7B7C6-E616-40DA-95A3-A8DE7927E17F@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.15)
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [128.107.241.169]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eb785de7-c649-4ae3-d625-08d83443a9ed
x-ms-traffictypediagnostic: BY5PR11MB3992:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB39926E4114956C6B1B894C62D0710@BY5PR11MB3992.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: z2yB5/5iKKixn6mpfUOrDIZv4NBcfjGIv9PXqkk554aRtjVMjjpZcXo6Y8lfalpolVyxjB+wyvt9houhXZhWdwRjRRUvSffw8IB5JTc0PwuTFRNp508tMhwPjxqAJpdLRv+kaZbMdzgb1qmogVwNWvRQcXi9xEvSwbR7tali4qgMZHyZus06K4JsVaSXXe9QupCLpU+sf3r/IeRg32CUWSOMaWDKHhGlmqJmdJjFe76NkFmXInUWIc14FOibwKhRzl6lkuF5y+6CzmP0eleA0oHDRRIn1MphVxMsTjg5vSIfxwSTJe2KRJSmJcGJdljZ3iIuaRCUPL5FXw31IznRhA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2789.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(39860400002)(136003)(376002)(346002)(5660300002)(2906002)(54906003)(316002)(71200400001)(83380400001)(86362001)(8936002)(6486002)(4326008)(8676002)(6512007)(66476007)(26005)(186003)(33656002)(36756003)(66946007)(66446008)(64756008)(76116006)(53546011)(6506007)(2616005)(478600001)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: LppOlT0xHcH+fw6h4LHEyEddTk34JzXCjVJGqSwEVqHZvO1TYTFaL/fR1X46yzX0B5ce2bHMzQaHbkTRMrhXV2hHzF0xShNGNbGaWrIvsYcDDlYBd/lqG2hRcdTrh9k1YuW8fCeHiYVZM51zJhPcBnDKCrRGEnqyAs21tQJCyjV5arMgkqVfpgzFNLnkwpg1FoaiXMFtKAayQLGK6ioJuJrMewI1vxghmIL9afnURDZQzgnrZb+oMVLF2QI9ahZkWxxCY3QLR5WUvDDpsq5lS+GpsD7BGvpeDUz8qZSia358Z5MpYYjf4l0urNqDPJrFyOZuEaE77W7ADHHreKN8Wfa3ataUsXkSuqSnwwfOo6ZTLV9sLWWImx8pycnvo8ChGxUb3VnzANzpbTZSrqn6hKvoZU6g50WxBNPmdYyPH1p5UtTdBPUliUsr+eYADd+9GPYju6u4kWYXcNzjMtrfiLRl2x1HiXu9Wzsrr2yO4CsMStP4R7tDc/EZ42Av5nT2
Content-Type: multipart/alternative; boundary="_000_16DCF5D7CC184015ADE1D67A3EBAEDB5ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2789.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eb785de7-c649-4ae3-d625-08d83443a9ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2020 04:47:29.0285 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZYkGqMCDW4KSD1PlT7n0xco4pgtFToSriAIAtbR4ZuVALHPqfZp/IcaK9SklYNJEmJty/2uxpSqVP2+k3feb0w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB3992
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NbUNdQVq-MOicP-VdBeTFSsoh1g>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 04:47:39 -0000

To echo the ickiness part…   Putting on my end user hat, if I have to take it with an enterprise device on the enterprise network, I would rather it be done securely, respecting my privacy...  If I’m on my home network, I want an easy way to detect and reject it, no matter it is from a vendor, provider or state.  At this time, there seems no easy way on either side.


On Jul 29, 2020, at 6:26 PM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:rsalz=40akamai.com@dmarc.ietf.org>> wrote:

>I would say rather that those analyses consider them as protocol endpoints and address the two individual connections terminated by the proxy and have nothing to say about the composition of those two connections.

I think that some of those opposed are conflating the general “end to end” argument with what the TLS protocol RFC says, as ekr is saying.

Conformance isn’t the issue, really, it’s ickiness.  It’s one thing if an enterprise install intermediaries to monitor the outbound traffic on its machines, it’s another if a national-scale attacker does surreptitiously, and it’s various other things along those spectrums. We’d all like a clear bright line to say YES here, NO there, and WELL MAYBE IF YOU MUST over there, but that’s not possible.