Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Ashutosh Singh <ashusing@gmail.com> Tue, 28 July 2020 05:23 UTC
Return-Path: <ashusing@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id F15AF3A0C80;
Mon, 27 Jul 2020 22:23:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3fhT2n9vQCxK; Mon, 27 Jul 2020 22:23:00 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com
[IPv6:2607:f8b0:4864:20::12b])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 857663A0C7C;
Mon, 27 Jul 2020 22:23:00 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id r12so15137811ilh.4;
Mon, 27 Jul 2020 22:23:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=1yAlBPzFWQhfdfZmfgFk9kl8D9a0U7y2b+7wTB8BPxo=;
b=b+nFl3JLf3DEmd0kzgHhyvp7tNGB5FSo8bvYNM/Fzs1kJ5bMiZv7iiUfw+GDHS7M/b
V0pVNMmowuG0gPhVEOYeIsDGAm8pIJakJcEp4rJSdPbf2YocSM5YA6UvxHe7UQw6v3y4
7LjWfC1WjHOh673j/9UIdZ4E3EU4BsglG7dy4g0J3xYHWfOf0MqL/hmvSWrXykFuucfr
PgQv+sfUFeSD/KY5ipDjEUtSYi3cHR+lqTVL4LCu/KEXcJxlxIkgB5w+SR33VLIi3+Og
CCca/F5VzgMvymyvfQmmmEJl2H2Sr+qeMVBWV8yOu9bMXzmDwe/tA8G012yiCmoey2aE
e25A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=1yAlBPzFWQhfdfZmfgFk9kl8D9a0U7y2b+7wTB8BPxo=;
b=nfRzILza3CJxbD3hRLwYzz9gwkJVTXNNc4WsrSSXbpeeMfEWAP6TR1gzxmbCej0elI
3MK71MOTHvlbZZjuv1Twgl0c6ZgM5odXMo9txxyJ4p3IRAkHhNHXMXx/YSOenZg7EmSA
GgBUx1Wn+h5yC3zIAJAVzxBrDB2vsICEu7TzOKckQ1tPS30v+0mu4hBV0U6/N7vqDDNk
D8gOP5V/jjlG+HDjT49Fug+V6N6QpBypC0o35GVfkXG9WFqnQjBKyxDQT9j+IQgFcYpn
WxOa/Qlw4E8ZAKWnUAuH/vtDHmiKuB+JKD51kgjysVktHfKsa/W5F3MwCPv2hOh//ZH5
Usvw==
X-Gm-Message-State: AOAM531qbEALDuoloj/B+lS4DTBYpNM6gTkVSsABvYrjfSfGY1V7zxTu
eBmsr0hNswgWE4TFEI57VomNkkso/40g6iI1uCB9R+On
X-Google-Smtp-Source: ABdhPJwfnkOcsZsIzAnqqZ/JF4eVApGw0YbpJgQKPn42k2RKbyhIQ6/ifOxnw+PkFP38DdmEnN7dDo+rxr3ND63nmzU=
X-Received: by 2002:a92:dc90:: with SMTP id c16mr27195871iln.202.1595913778324;
Mon, 27 Jul 2020 22:22:58 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com>
<CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com>
<d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie>
<9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu>
<CAN40gSvq4_g10EvsReRLgxrqqfXVp_A-XB90T8rDVTTZ0=rV-w@mail.gmail.com>
<411590AE-EEA6-41EE-B0C8-CC1E0C05F1CE@akamai.com>
<25CD4A36-5BE5-4B70-ACA7-04494C017D9D@cisco.com>
<ff20547b-eef3-34b6-802a-79f6289ab962@cs.tcd.ie>
<FB7D596B-5A87-4814-A4CD-33AA1A0F733B@nerd.ninja>
In-Reply-To: <FB7D596B-5A87-4814-A4CD-33AA1A0F733B@nerd.ninja>
From: Ashutosh Singh <ashusing@gmail.com>
Date: Mon, 27 Jul 2020 22:22:47 -0700
Message-ID: <CACsiE8zgE_1K5JyRfKV7_CvYVzHA4A_JFEXdr5gx=SXtuTUKoQ@mail.gmail.com>
To: Roelof duToit <r@nerd.ninja>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, OPSEC <opsec@ietf.org>,
OpSec Chairs <opsec-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>,
"Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>,
"Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d96aae05ab79a108"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NvsLYC_OJNL7NbLRbWi5eNvnlBs>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 05:23:03 -0000
I agree with the proposed approach and I also believe in discussion around safe and responsible middlebox deployment. I support the adoption of this draft! Regards -Ashu On Mon, Jul 27, 2020 at 7:45 PM Roelof duToit <r@nerd.ninja> wrote: > RFC 8446, section 9.3 states: > *Note that TLS's protocol requirements and security analysis only* > *apply to the two connections separately. Safely deploying a TLS* > *terminator requires additional security considerations which are* > *beyond the scope of this document.* > > The context of that paragraph is "*A middlebox which terminates a TLS > connection*" and it implies that there are *undocumented* security > considerations. > The tls-proxy-bp draft is a contribution towards that goal and we think it > is worth the effort. > > --Roelof > > > On Jul 27, 2020, at 8:35 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > > > > On 28/07/2020 00:48, Eric Wang (ejwang) wrote: > > We felt the lack of a > baseline bcp is going to hurt the security posture of TLS rather than > driving the intermediary away. > > > That makes no sense to me. > > Adopting this draft will require eliminating all such > gibberish and instead finding text that can garner IETF > consensus. I really do not think that effort is worth > the significant cost for anyone involved, pro-MITM or > not. > > S. > > <0x5AB2FAF17B172BEA.asc>_______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Call For Adoption: draft-wang-opsec-tls-pro… Ron Bonica
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Jen Linkova
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Tobias Mayer (tmayer)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXTERNAL] Re: [OPSEC] Call For Adoptio… Andrei Popov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] [EXTERNAL] Re: Call For Adoptio… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… tom petch
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Paul Brears
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Smyth
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre