Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Ashutosh Singh <ashusing@gmail.com> Tue, 28 July 2020 05:23 UTC
Return-Path: <ashusing@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15AF3A0C80; Mon, 27 Jul 2020 22:23:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fhT2n9vQCxK; Mon, 27 Jul 2020 22:23:00 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 857663A0C7C; Mon, 27 Jul 2020 22:23:00 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id r12so15137811ilh.4; Mon, 27 Jul 2020 22:23:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1yAlBPzFWQhfdfZmfgFk9kl8D9a0U7y2b+7wTB8BPxo=; b=b+nFl3JLf3DEmd0kzgHhyvp7tNGB5FSo8bvYNM/Fzs1kJ5bMiZv7iiUfw+GDHS7M/b V0pVNMmowuG0gPhVEOYeIsDGAm8pIJakJcEp4rJSdPbf2YocSM5YA6UvxHe7UQw6v3y4 7LjWfC1WjHOh673j/9UIdZ4E3EU4BsglG7dy4g0J3xYHWfOf0MqL/hmvSWrXykFuucfr PgQv+sfUFeSD/KY5ipDjEUtSYi3cHR+lqTVL4LCu/KEXcJxlxIkgB5w+SR33VLIi3+Og CCca/F5VzgMvymyvfQmmmEJl2H2Sr+qeMVBWV8yOu9bMXzmDwe/tA8G012yiCmoey2aE e25A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1yAlBPzFWQhfdfZmfgFk9kl8D9a0U7y2b+7wTB8BPxo=; b=nfRzILza3CJxbD3hRLwYzz9gwkJVTXNNc4WsrSSXbpeeMfEWAP6TR1gzxmbCej0elI 3MK71MOTHvlbZZjuv1Twgl0c6ZgM5odXMo9txxyJ4p3IRAkHhNHXMXx/YSOenZg7EmSA GgBUx1Wn+h5yC3zIAJAVzxBrDB2vsICEu7TzOKckQ1tPS30v+0mu4hBV0U6/N7vqDDNk D8gOP5V/jjlG+HDjT49Fug+V6N6QpBypC0o35GVfkXG9WFqnQjBKyxDQT9j+IQgFcYpn WxOa/Qlw4E8ZAKWnUAuH/vtDHmiKuB+JKD51kgjysVktHfKsa/W5F3MwCPv2hOh//ZH5 Usvw==
X-Gm-Message-State: AOAM531qbEALDuoloj/B+lS4DTBYpNM6gTkVSsABvYrjfSfGY1V7zxTu eBmsr0hNswgWE4TFEI57VomNkkso/40g6iI1uCB9R+On
X-Google-Smtp-Source: ABdhPJwfnkOcsZsIzAnqqZ/JF4eVApGw0YbpJgQKPn42k2RKbyhIQ6/ifOxnw+PkFP38DdmEnN7dDo+rxr3ND63nmzU=
X-Received: by 2002:a92:dc90:: with SMTP id c16mr27195871iln.202.1595913778324; Mon, 27 Jul 2020 22:22:58 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <CAN40gSvq4_g10EvsReRLgxrqqfXVp_A-XB90T8rDVTTZ0=rV-w@mail.gmail.com> <411590AE-EEA6-41EE-B0C8-CC1E0C05F1CE@akamai.com> <25CD4A36-5BE5-4B70-ACA7-04494C017D9D@cisco.com> <ff20547b-eef3-34b6-802a-79f6289ab962@cs.tcd.ie> <FB7D596B-5A87-4814-A4CD-33AA1A0F733B@nerd.ninja>
In-Reply-To: <FB7D596B-5A87-4814-A4CD-33AA1A0F733B@nerd.ninja>
From: Ashutosh Singh <ashusing@gmail.com>
Date: Mon, 27 Jul 2020 22:22:47 -0700
Message-ID: <CACsiE8zgE_1K5JyRfKV7_CvYVzHA4A_JFEXdr5gx=SXtuTUKoQ@mail.gmail.com>
To: Roelof duToit <r@nerd.ninja>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, OPSEC <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d96aae05ab79a108"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NvsLYC_OJNL7NbLRbWi5eNvnlBs>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 05:23:03 -0000
I agree with the proposed approach and I also believe in discussion around safe and responsible middlebox deployment. I support the adoption of this draft! Regards -Ashu On Mon, Jul 27, 2020 at 7:45 PM Roelof duToit <r@nerd.ninja> wrote: > RFC 8446, section 9.3 states: > *Note that TLS's protocol requirements and security analysis only* > *apply to the two connections separately. Safely deploying a TLS* > *terminator requires additional security considerations which are* > *beyond the scope of this document.* > > The context of that paragraph is "*A middlebox which terminates a TLS > connection*" and it implies that there are *undocumented* security > considerations. > The tls-proxy-bp draft is a contribution towards that goal and we think it > is worth the effort. > > --Roelof > > > On Jul 27, 2020, at 8:35 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > > > > On 28/07/2020 00:48, Eric Wang (ejwang) wrote: > > We felt the lack of a > baseline bcp is going to hurt the security posture of TLS rather than > driving the intermediary away. > > > That makes no sense to me. > > Adopting this draft will require eliminating all such > gibberish and instead finding text that can garner IETF > consensus. I really do not think that effort is worth > the significant cost for anyone involved, pro-MITM or > not. > > S. > > <0x5AB2FAF17B172BEA.asc>_______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Call For Adoption: draft-wang-opsec-tls-pro… Ron Bonica
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Jen Linkova
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Tobias Mayer (tmayer)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXTERNAL] Re: [OPSEC] Call For Adoptio… Andrei Popov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] [EXTERNAL] Re: Call For Adoptio… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… tom petch
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Paul Brears
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Smyth
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre