Re: [TLS] Breaking into TLS to protect customers

Benjamin Kaduk <kaduk@mit.edu> Mon, 19 March 2018 16:38 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DEC5127201 for <tls@ietfa.amsl.com>; Mon, 19 Mar 2018 09:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoDxwlDH_bAZ for <tls@ietfa.amsl.com>; Mon, 19 Mar 2018 09:38:50 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7898126B6E for <tls@ietf.org>; Mon, 19 Mar 2018 09:38:49 -0700 (PDT)
X-AuditID: 1209190e-79bff70000001eb7-ec-5aafe798d1a1
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id F0.A3.07863.897EFAA5; Mon, 19 Mar 2018 12:38:48 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w2JGcl2U018824; Mon, 19 Mar 2018 12:38:48 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2JGchPv005398 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 19 Mar 2018 12:38:46 -0400
Date: Mon, 19 Mar 2018 11:38:43 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ryan Sleevi <ryan-ietftls@sleevi.com>
Cc: Colm =?iso-8859-1?Q?MacC=E1rthaigh?= <colm@allcosts.net>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20180319163843.GN55745@kduck.kaduk.org>
References: <C43EDAAC-1CA1-4289-8659-B2E05985F79C@akamai.com> <E22E3F4C-2A44-4F17-9FEA-18760C36A1E8@gmail.com> <0bd7ed2d174a45d993026c8ed0443ae8@LXDOMEXC01.ssidom.com> <6888195D-1AD6-45B1-8F77-AFA088CFF78A@gmail.com> <87y3iottae.fsf@fifthhorseman.net> <CAAF6GDeAOKtCF5BhfyG6wEd5L-mevKeuDMM1AmgdGKyfuEyzdQ@mail.gmail.com> <CAErg=HExeE0L3Lw4i2gEx3URVfci=RrODHBcVR_EF255R1FYvw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAErg=HExeE0L3Lw4i2gEx3URVfci=RrODHBcVR_EF255R1FYvw@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDKsWRmVeSWpSXmKPExsUixCmqrDvj+foog3fPrS2+NO1mtNh07gGj xafzXYwOzB7XF+1m9Viy5CeTR/Pu3SwBzFFcNimpOZllqUX6dglcGUvaG1gL/rJUXJ8p3cD4 g7mLkZNDQsBE4nnjK9YuRi4OIYHFTBJd+yYwQTgbGSV2r9/BAlIlJHCVSeLZpHgQm0VAVeLR 3HPsIDabgIpEQ/dlsEkiApoSS2+8YwWxmQVSJDpuz2cDsYUFLCUe7Z8BVM/BwQu07fgldoiR E5kllu2xBbF5BQQlTs58wgLRqiOxc+sdNpByZgFpieX/OCDC8hLNW2eDbeIUCJRo67/CBGKL CihL7O07xD6BUXAWkkmzkEyahTBpFpJJCxhZVjHKpuRW6eYmZuYUpybrFicn5uWlFuka6+Vm luilppRuYgQHuSTfDsZJDd6HGAU4GJV4eDXurI8SYk0sK67MPcQoycGkJMqbPxEoxJeUn1KZ kVicEV9UmpNafIhRgoNZSYT36ZV1UUK8KYmVValF+TApaQ4WJXFedxPtKCGB9MSS1OzU1ILU IpisDAeHkgTv4mdAQwWLUtNTK9Iyc0oQ0kwcnCDDeYCG14PU8BYXJOYWZ6ZD5E8xGnO0rXzS xsxx48XrNmYhlrz8vFQpcV4nkFIBkNKM0jy4aaBEJZG9v+YVozjQc8K8VSBVPMAkBzfvFdAq JqBVPkvXgKwqSURISTUwsu3muda3LUJ3W6TS3hucy7aZf/tR9peJ7b3NanZnsXdL539+3TVb 8DfLy8db3vw8r3os4YzUGpZlSxY83XuEn/fchhNqr66/4Pb9XN4nZnTlRY1Z/U+RMk3JKbof oltMPnHvudqh3zdpuuGm7jViQlWLmZpPL1rPnhC4Pmn9jTaXV/5XNiWm+ymxFGckGmoxFxUn AgCYj+0ULwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Nn75Oyz-gSSEOPLxeQKxqongly8>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 16:38:51 -0000

On Mon, Mar 19, 2018 at 12:22:48PM -0400, Ryan Sleevi wrote:
> On Mon, Mar 19, 2018 at 10:20 AM, Colm MacCárthaigh <colm@allcosts.net>;
> wrote:
> 
> > 2/ clients and browsers could easily consider such sessions insecure by
> > default. This would mean that adopters would have to deploy configurations
> > and mechanisms to enable this functionality, similar to - but beyond - how
> > private root CAs can be inserted.
> >
> 
> I thought the use case was that this was not for clients and browsers, but
> for server<->server interactions.

This is an important question the answer to which remains unclear,
to me.

-Ben