Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Carrick Bartle <cbartle891@icloud.com> Thu, 30 July 2020 00:29 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32E463A0AE1 for <tls@ietfa.amsl.com>; Wed, 29 Jul 2020 17:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 517JRkNYyPzR for <tls@ietfa.amsl.com>; Wed, 29 Jul 2020 17:28:59 -0700 (PDT)
Received: from mr85p00im-ztdg06021801.me.com (mr85p00im-ztdg06021801.me.com [17.58.23.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0623B3A0ADF for <tls@ietf.org>; Wed, 29 Jul 2020 17:28:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1596068938; bh=Gp1xw8ppSTiTWLneG8nYLTJafBXg+FsCRw6Lxox+w6o=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=wD58WJBoxL8hlijb/rF0mju6EfWJOkdNFvO6DHc7n4b4GmUfZ3q0OTsL8EEqWKyCD 3f5YDzYb3jDcSVGWE9+F7COI9lIBD3jIDbsNlkx0IoAPOtGA4DxLhVauc9Wg94ubs+ BsvZvIaIQN4JDOlVZ5lPNDTPNdhr+2Zt4KuroycpHbULLhUKv6zZ1rCbN8gaQ+ZzAb vrhUoereEMZqtz0ohvzSF65wSvE2up9lVC5aTVvLORZX9tKbGB1JCc0ttgGHC4a5Kx zQk7vMlv6j3UIzsF8cfbvc6NiIMigD3Ys7zD8+cYFuQLGJOHDqCKPc/rM7jKohFydz JToydMVw5qI2g==
Received: from [17.232.176.230] (unknown [17.232.176.230]) by mr85p00im-ztdg06021801.me.com (Postfix) with ESMTPSA id 35081180991; Thu, 30 Jul 2020 00:28:58 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3622.0.7\))
From: Carrick Bartle <cbartle891@icloud.com>
In-Reply-To: <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie>
Date: Wed, 29 Jul 2020 17:28:57 -0700
Cc: Eric Rescorla <ekr@rtfm.com>, Ron Bonica <rbonica@juniper.net>, OPSEC <opsec@ietf.org>, Nick Harper <nharper=40google.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>, "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D2456B4-4725-47B9-AAF9-67C0ABDFA802@icloud.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com> <34226646-93F3-4592-A972-A55B160D5B78@cisco.com> <CACdeXi+7oQgcg=-vFqxLnEFtg__6AehWXyE5ey8CBFiw9Vh8PQ@mail.gmail.com> <F40B9423-B0D5-4993-8A3D-D875C62951E4@cisco.com> <9e413fb1-da38-6a1f-8fca-a0dd5a6b6ebd@cs.tcd.ie> <CABcZeBNyFBaHfKf5JGXb7BBc+pcwkLoSx2wYA63AZs0O-WRtug@mail.gmail.com> <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3622.0.7)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-29_18:2020-07-29, 2020-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2007300000
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PmdFhgOVbl-v64JhuVheP4nijqE>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 00:29:00 -0000

> I gtend to start with the abstract: "TLS allows
> client/server applications to communicate over the
> Internet in a way that is designed to prevent
> eavesdropping, tampering, and message forgery."


It seems clear that TLS proxies obey the letter, if not the spirit, of that statement.

However, it seems to me that no further discussion in the TLSWG is necessary given Martin's assertion that "The TLS working group has decided not to undertake work in this area."



> On Jul 29, 2020, at 5:06 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
> On 30/07/2020 00:56, Eric Rescorla wrote:
>> What text in TLS do you believe terminating proxies (in either direction)
>> do not conform to?
> 
> I gtend to start with the abstract: "TLS allows
> client/server applications to communicate over the
> Internet in a way that is designed to prevent
> eavesdropping, tampering, and message forgery."
> 
> I think that text has remained through various
> iterations.
> 
> More importantly, the analyses done for tls1.3
> afaik do not consider such 3rd parties except as
> an attacker.
> 
> I'm by no means denying the fact that MITM boxen
> are deployed, but the idea that some of them are
> "conformant" and some are not seems bogus.
> 
> S.
> <0x5AB2FAF17B172BEA.asc>_______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls