Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Colm MacCárthaigh <colm@allcosts.net> Sun, 16 July 2017 04:41 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF0A21316DE for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 21:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FgSpncAgOpo for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 21:41:02 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0A8C1316B4 for <tls@ietf.org>; Sat, 15 Jul 2017 21:41:02 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id x125so37828358ywa.0 for <tls@ietf.org>; Sat, 15 Jul 2017 21:41:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cS+qiDMY60nSPNbLjBr5lxqK18jV4nGJPBFIsKAFeYI=; b=zwl6qIriRtxjU0rwudMf2unpOTzVQFVztrgk3GXzxl4j3WiSyT2ipB7eI+taIpKOO3 E7ZIXWGV5FDKqY09uFp/l+TqbO8VtoQQK63M8gJdylNlwAkWAy+yexiKH/eRQsTPh7lo 5VG4AxGS+97ACNoHXZAyPhkPuX7vKXA8sXCh+MVH9hFBkXqGBOYObnXjXZN4lNSXU7By clBIqTMANj8HxScPH0RPHS8827zTpGmXpRAB3VclWhBecT0MfsDPIxSue24n9TNqCJqA DEexJXSZl2BYEKpgqbnxAiztTgSTgv9KKBdS0S9ws5tkwQqEeWAmsxO/pykWLXUXH4Q2 cQ0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cS+qiDMY60nSPNbLjBr5lxqK18jV4nGJPBFIsKAFeYI=; b=fgQCI+ZIcPzcGOFtk8qNITJ1XV8ZQJbcAfYygJ1INuydr6OdVqgJQwYUnggqmWWygw NxeUgCIuTMND+H+jvamzTDfBfKzgB1eyIQw7bDdI8VWeiVk5s9iJ0EBtCZaRrA+rzrAd YbNmIlAUiQnrYMx0D9BRc48S3fQdcvq11meVgFYUJIeWHwPfasSIaiiGVgO7yoaCnc9P irHVSxUCHsIWslvU+W3Au8qOze897GtOT5C3AiiWrPLSIbMN9zpYiC7dUoJojuUPz8c+ Xe4Op9wLglYQfjJ7D1AqGVid8LKqzJgOL0C1bzowPi5qIiLvupj//a8xai4j5M3s8wpq j9dg==
X-Gm-Message-State: AIVw1125nDDE2zzPr5E0BJlln9tuBXxt2zFwdY3RRCO2LJfoLEE6nosd fR1j6sg4jnHobPfmcUyT6zQnuB9ye7FQ
X-Received: by 10.13.251.71 with SMTP id l68mr13227298ywf.182.1500180061830; Sat, 15 Jul 2017 21:41:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.27.4 with HTTP; Sat, 15 Jul 2017 21:41:01 -0700 (PDT)
In-Reply-To: <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <8b502340b84f48e99814ae0f16b6b3ef@usma1ex-dag1mb1.msg.corp.akamai.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDeSv+T1ww5_nr6NPgg9k44j7y04tJWC=KeaJF7Gtt+TVQ@mail.gmail.com> <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Sat, 15 Jul 2017 21:41:01 -0700
Message-ID: <CAAF6GDeGKEBnUZZFXX0y0a2J2+sVg8VaHh-4H9bhN0Zzk-x9uA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>, Matthew Green <matthewdgreen@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c07e78aaf5aa2055467e362"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/R7JS37l-BPOeDk8104grNtrg3kY>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 04:41:03 -0000

On Sat, Jul 15, 2017 at 5:39 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>;
wrote:

> On 15/07/17 23:55, Colm MacCárthaigh wrote:
> > So far responses on the mailing list have been saying "Don't use
> > pcap, instead run proxies".
> Sorry, but that is incorrect. Some list participants
> have said "we need pcap" and others have said that
> "no, we do not need to use packet capture." And others,
> myself included, consider that there is dearth of
> evidence.
>

Can you be more clear what is lacking in evidence? Are you skeptical that
existing network operators don't do this kind of decryption? There's
support for it in tools like Wireshark. Is that sufficient evidence?

Are you skeptical that there's no evidence that using proxies instead would
be a burdensome change? I'm not skeptical of that at all, but would be
interested in what acceptable evidence would look like. Though I'll point
out again: TLS 1.3 is the new thing that we want to gain adoption, so
really we should be looking for evidence that it's /not/ a burdensome
change.

-- 
Colm