IETF Logo Mail Archive

Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Eric Rescorla <ekr@rtfm.com> Thu, 30 July 2020 00:35 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE88B3A0A83 for <tls@ietfa.amsl.com>; Wed, 29 Jul 2020 17:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_ZBV86rWSsR for <tls@ietfa.amsl.com>; Wed, 29 Jul 2020 17:35:55 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B923D3A09A9 for <tls@ietf.org>; Wed, 29 Jul 2020 17:35:54 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id h19so26997967ljg.13 for <tls@ietf.org>; Wed, 29 Jul 2020 17:35:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kXetPutOfQyB2nQTflISzhEwxSlgF4BqOkvsGH6J2C8=; b=ebMTxbIHLy4niyER/SZj7chr2ElMTFeJEZn0TWxD+dJEEMe0LEVpTnY+uEIWk4c/FM lUbXEWqSCGIly5Y1+TcX+t9+S0EHT3N+UdeZ5Rqm1vWIXLhmtutu0tGTH12MnDmKHknR Npesk02NdOge8/hEo0/fJEH/jjJ7z1lx3s2qwF69iUiuyYIQHwf4KInIglf0unblL5tq WJn8Djlvqxzd9J1Yb3+Kbjs4Pcz1IV0OB0HzOEsHgFZrBbLaqsb77UW0k0n5o8J6uVs+ 49y+nslVj2SQSriIRMDoGDeDtVqw74GqCgVPjwNt6i+MX/BO0QTp0wsZCrkDedD7/4+G YG9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kXetPutOfQyB2nQTflISzhEwxSlgF4BqOkvsGH6J2C8=; b=skALal6cGnA+A+WTwDprT0wKGr5+/iYfmVtBplx85z7JbhdegLRWShk4mdzR6afRIX Eit37H1Prv4DCL7cTZbtgbbvKWycglbKiyueDUvPfKxZPySRFGzXnpaHyTmJAVymXP1I WkKigCRLcr0CFPm4VxsSQiLmpv0cUqcx9MNhgJc8RtQUfQixm82LWr69NPyxtOlHOEjk WQv3+MhNNr8W8MUteiMkFMYiptHCcIwPkyRpBVWhnKgYwyPF7TrhipDnboo5nry1YWp0 9BmNpNL28yrGzlr/4yeXpU13x1elFYoSvRd8Fn3JCRM8dNLzwfkcbkVIQfbl8+efHOYM ji4A==
X-Gm-Message-State: AOAM532mVKhdRBmgzdJdL4IEmb3MzbvBUnJIRwlXsmsWQicTBfxXeyDD HRG8d0+b6pSisP6ZE7Anwq4n6gSHdL1W+vBedQXhWA==
X-Google-Smtp-Source: ABdhPJz03D/QPnblX43ca314fQr5lsQ5aBEcGsWSO+3bL0SnSgLYV1iCDadYU7tatLJjpdZQtQ9Fk9CUJUH4nl0W8rw=
X-Received: by 2002:a2e:9d04:: with SMTP id t4mr198750lji.184.1596069352849; Wed, 29 Jul 2020 17:35:52 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com> <34226646-93F3-4592-A972-A55B160D5B78@cisco.com> <CACdeXi+7oQgcg=-vFqxLnEFtg__6AehWXyE5ey8CBFiw9Vh8PQ@mail.gmail.com> <F40B9423-B0D5-4993-8A3D-D875C62951E4@cisco.com> <9e413fb1-da38-6a1f-8fca-a0dd5a6b6ebd@cs.tcd.ie> <CABcZeBNyFBaHfKf5JGXb7BBc+pcwkLoSx2wYA63AZs0O-WRtug@mail.gmail.com> <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie>
In-Reply-To: <32561228-08fc-79ea-1b2e-f5de87b9c8fe@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 29 Jul 2020 17:35:16 -0700
Message-ID: <CABcZeBOfVxoyds+vntEs+7ttrVkd2ppEvX+TdshS=AxA3kUQ7Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>, Nick Harper <nharper=40google.com@dmarc.ietf.org>, Ron Bonica <rbonica@juniper.net>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d05e3f05ab9ddae2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QjeCK_Bl8-a6VShIrdA6YuOaa_E>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 00:35:58 -0000

On Wed, Jul 29, 2020 at 5:06 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 30/07/2020 00:56, Eric Rescorla wrote:
> > What text in TLS do you believe terminating proxies (in either direction)
> > do not conform to?
>
> I gtend to start with the abstract: "TLS allows
> client/server applications to communicate over the
> Internet in a way that is designed to prevent
> eavesdropping, tampering, and message forgery."
>

> I think that text has remained through various
> iterations.
>

Yes, and in this context, the MITM proxy is a server from the client's
perspective and a client from the origin server's perspective.


More importantly, the analyses done for tls1.3
> afaik do not consider such 3rd parties except as
> an attacker.
>

I would say rather that those analyses consider them as protocol endpoints
and address the two individual connections terminated by the proxy and have
nothing to say about the composition of those two connections.


I'm by no means denying the fact that MITM boxen
> are deployed, but the idea that some of them are
> "conformant" and some are not seems bogus.
>

Well, they are either conformant with the text of 8446 S 9.3 or they are
not (and just to be clear, being conformant with 9.3 does not make them
good for the reason indicated above).

-Ekr

v2.23.0 | Report a Bug | By Email