Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile
Rob Sayre <sayrer@gmail.com> Fri, 07 April 2023 21:20 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FE1C1522DB for <tls@ietfa.amsl.com>; Fri, 7 Apr 2023 14:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZ-q-qsORs58 for <tls@ietfa.amsl.com>; Fri, 7 Apr 2023 14:20:12 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF8B1C1522C2 for <TLS@ietf.org>; Fri, 7 Apr 2023 14:20:11 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id lj25so10933993ejb.11 for <TLS@ietf.org>; Fri, 07 Apr 2023 14:20:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680902409; x=1683494409; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PcLu98i+Wq1YyoTuaapWC8V0kS4QccRjlM7rWbq9E/E=; b=PPwyCesuepMboWFT5BHpulYDWevcXGRq+pOr6Nl9Q+pb7ZGbRguDkBGTqYrgREI9Lf koUu2xZqNgVj/S+kft9ShaqQzcu3XVM0wWqAXlSOTJQY+w1sv6RlyDw+hWEmzuh83+PB tz61urWkyq21a/vSDYkWSFFvH7+qVhRF8atduku/iAvPsaCwNobYToOJjjNIUVSAqkJW WPwdA7ZN+K2lFhj3rcucCJRfR8LCq4vv3Z7W3SNF9XqExjahref1xC2qybRu4ME8r3tF EjvN8VCo2QRCaTJ0SGqzFBRpotAiVPPYfiVAijZhpEKjfGNEGuKrSkxefjwgroLTUKTy 2RMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680902409; x=1683494409; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PcLu98i+Wq1YyoTuaapWC8V0kS4QccRjlM7rWbq9E/E=; b=z7aIMy98ghqH3IQ8llcYIifTaxI80gbPKP1v1krCg5jdohAaSwLMCbIZssqKMB3clm pzMrVj0X7IkqzJPrnZe1gJy4f0cPY/qLBoyPG7rIA5sOsZ2fm3jU5IWpHILBdhmYh067 USLOqhxFZoU9oopX7MOb24sCjoE6ol7soHeFoTucbmr94ixGiskfn6QJ1wY92F4P2p9a 0s48ilejm1l2swedAdYX2T8XTM4vbvoD63mCB/xZxMNQegwRRSroYG6g9/jjyJQKmM8q ye27C1YthSdm+0PJWXn2j2r1s4fUh2C0q16PmFeHhbi1ADZNcR7lHGBqDa16pH6h6jhG OfSQ==
X-Gm-Message-State: AAQBX9c12QarXrOHfpoOqsT6JvyvKGejYhwgNnUUaTmGdOyWBL9VL4lA 9njEFpht/hlmbLHFwQf1WV2bOgslMHwq7NropQo=
X-Google-Smtp-Source: AKy350YhJDL9v7xvxqZ99rLTVGNY8hlqqIG+BbVB+RZPWU/UdpuxWl9y0W/2j3PhZcThV4bDtmhFdxmh1ID7nYpWOHs=
X-Received: by 2002:a17:907:a605:b0:931:ce20:db6e with SMTP id vt5-20020a170907a60500b00931ce20db6emr369208ejc.2.1680902409320; Fri, 07 Apr 2023 14:20:09 -0700 (PDT)
MIME-Version: 1.0
References: <15D5BB25-508F-42E3-B843-BCB81B668355@sn3rd.com> <24A48A16-1CAD-4D88-9376-2B51EE4955CA@heapingbits.net> <GVXPR07MB967855D220977DF03CFD984B89919@GVXPR07MB9678.eurprd07.prod.outlook.com> <DM6PR00MB0683D688396F1948A445DB0C8C919@DM6PR00MB0683.namprd00.prod.outlook.com> <GVXPR07MB96784E784CDD8D6F8D26C1CF89969@GVXPR07MB9678.eurprd07.prod.outlook.com> <CH2PR00MB0678FC0BAD43368B70A3D7408C96A@CH2PR00MB0678.namprd00.prod.outlook.com>
In-Reply-To: <CH2PR00MB0678FC0BAD43368B70A3D7408C96A@CH2PR00MB0678.namprd00.prod.outlook.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 07 Apr 2023 14:19:57 -0700
Message-ID: <CAChr6SyT2sFJ-FSRXvxyoXpLziEgtXRDN6UZS3qkbQYXSw3vpQ@mail.gmail.com>
To: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, Sean Turner <sean@sn3rd.com>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000027bff05f8c5971e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/R9GRwRkV9QQUznzPkIFMt-LB3as>
Subject: Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2023 21:20:16 -0000
Hi, I think this concern is really reasonable. I would suggest publishing it on the independent stream, not AD sponsorship. It's not an end-run around any IETF activity, but it should be documented. thanks, Rob On Fri, Apr 7, 2023 at 11:19 AM Andrei Popov <Andrei.Popov= 40microsoft.com@dmarc.ietf.org> wrote: > > - That seems way to soft and does not say anything about reusing a key > share in an _*ECDHE*_ cipher suite for a long time making it static. > But RFC8446bis now has added SHOULD NOT reuse key share which is very > welcome. My preference would be MUST NOT reuse. > > Agreed, and I also generally agree with your analysis of options 1-4. > > > > However, the IETF standardizing any TLS MITM/visibility options would be a > net negative, from my perspective. That would increase the (already > significant) pressure on TLS stack implementors to provide these > “visibility” solutions. This pressure already comes from a lot of different > angles. > > > > Cheers, > > > > Andrei > > > > *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *John Mattsson > *Sent:* Friday, April 7, 2023 8:25 AM > *To:* Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>; John > Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>; Christopher Wood < > caw@heapingbits.net>; Sean Turner <sean@sn3rd.com> > *Cc:* TLS@ietf.org > *Subject:* [EXTERNAL] Re: [TLS] Call for adoption of > draft-thomson-tls-keylogfile > > > > > > Thanks! > > > > >“Implementations MUST NOT negotiate the cipher suites with NULL > encryption.” > > I will add a link to RFC 9325 in the next version of > draft-mattsson-tls-psk-ke-dont-dont-don’t > > >“Implementations SHOULD NOT negotiate cipher suites based on > non-ephemeral (static) finite-field Diffie-Hellman (DH) key agreement.” > > That seems way to soft and does not say anything about reusing a key share > in an _*ECDHE*_ cipher suite for a long time making it static. But > RFC8446bis now has added SHOULD NOT reuse key share which is very welcome. > My preference would be MUST NOT reuse. > > Cheers, > John > > > > *From: *TLS <tls-bounces@ietf.org> on behalf of Andrei Popov < > Andrei.Popov=40microsoft.com@dmarc.ietf.org> > *Date: *Thursday, 6 April 2023 at 20:08 > *To: *John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, > Christopher Wood <caw@heapingbits.net>, Sean Turner <sean@sn3rd.com> > *Cc: *TLS@ietf.org <TLS@ietf.org> > *Subject: *Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile > > - Maybe IETF (e.g., UTA) could say what organizations should > definitely not do (like NULL encryption). > > This is already done. UTA BCPs prohibit NULL encryption and static DH: > https://www.rfc-editor.org/rfc/rfc9325.html > > “Implementations MUST NOT negotiate the cipher suites with NULL > encryption.” > > “Implementations SHOULD NOT negotiate cipher suites based on > non-ephemeral (static) finite-field Diffie-Hellman (DH) key agreement.” > > > > Cheers, > > > > Andrei > > > > *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *John Mattsson > *Sent:* Thursday, April 6, 2023 7:41 AM > *To:* Christopher Wood <caw@heapingbits.net>; Sean Turner <sean@sn3rd.com> > *Cc:* TLS@ietf.org > *Subject:* [EXTERNAL] Re: [TLS] Call for adoption of > draft-thomson-tls-keylogfile > > > > Hi, > > > > So, what should people do regarding visibility? There are obviously > organizations that think they need visibility. I see the topic popping up > frequently in a lot of different places. Both in IETF and outside. > > I see four ways to achieve visibility. > > > > 1. Do things in the endpoints. > > 2. Use NULL encryption > > 3. Use a static DH key instead of ephemeral. Share static DH key. > > 4. Export session keys to intermediate node. > > > > I don't see 2 and 3 are not viable solutions at all, ever. > > > > Regarding 2. it violates several of the TLS security properties. NIST > states as the first basic assumption for network connectivity for any > organization that utilizes zero trust is that: > > > > "The entire enterprise private network is not considered an implicit > trust zone. Assets should always act as if an attacker is present on the > enterprise network, and communication should be done in the most secure > manner available. This entails actions such as authenticating all > connections and encrypting all traffic." > > > > Regarding 3. it violates one of the fundamental TLS 1.3 security > properties namely "Forward secret with respect to long-term keys". It also > violates zero trust principles. Two essential zero trust principles > according to NIST and NSA are to assume that breach is inevitable or has > likely already occurred and to minimize the impact when breach occur. One > type of breach is key compromise. Using PFS is a must to limit the impact > of key compromise and therefore to follow zero trust principles. > > > > The only viable solutions I see are therefore 1 or 4: > > > > 1. do things in the endpoints > > > > 4. export sessions keys to the intermediary and making sure that the > intermediary does not store the keys long term. Storing the session keys > long term violates the TLS security properties and the zero trust > principles described above. > > > > Regarding 4. there are many different solutions. > > > > - SSLKEYLOGFILE is a de facto standard for exporting TLS key material. > > > > - ETSI CYBER has standardized Middlebox Security Protocol. > > > https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf > > > > - Proprietary solutions such as > > https://www.nubeva.com/pillar/get-session-keys > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-5f34a1d271355f52&q=1&e=f3aeeac6-dde5-492c-8992-c755e6a13aca&u=https%3A%2F%2Fwww.nubeva.com%2Fpillar%2Fget-session-keys> > > > > If IETF cannot say that anything is recommended. Maybe IETF (e.g., UTA) > could say what organizations should definitely not do (like NULL > encryption). Seems like a lot of organizations are deploying different > kinds of solutions right now. They will likely do less secure things than > necessary... > > > > Cheers, > > John > > > > *From: *TLS <tls-bounces@ietf.org> on behalf of Christopher Wood < > caw@heapingbits.net> > *Date: *Thursday, 19 January 2023 at 15:57 > *To: *Sean Turner <sean@sn3rd.com> > *Cc: *TLS@ietf.org <tls@ietf.org> > *Subject: *Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile > > Hi folks, > > Apologies for the delay in concluding this adoption call. To close the > loop here, it doesn’t look like we have sufficient support to adopt the > document as a WG item. > > The chairs would like to recommend AD sponsorship as a viable path forward > for this document. This should achieve the desired end goal of moving > change control from the fine folks maintaining NSS to the IETF while also > nailing down the now widely supported format used in production. > > Best, > Chris, for the chairs > > > On Nov 28, 2022, at 1:41 PM, Sean Turner <sean@sn3rd.com> wrote: > > > > Hi! > > > > At TLS@IETF115, the sense of the room was that there was WG support to > adopt draft-thomson-tls-keylogfile [1]. This message is to judge consensus > on whether the WG should adopt draft-thomson-tls-keylogfile. Please > indicate whether you do or do not support adoption of this I-D by 2359UTC > on 12 December 2022. If do not support adoption, please indicate why. > > > > Cheers, > > Chris, Joe, and Sean > > > > [1] https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/ > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Call for adoption of draft-thomson-tls-keyl… Sean Turner
- Re: [TLS] Call for adoption of draft-thomson-tls-… Salz, Rich
- Re: [TLS] Call for adoption of draft-thomson-tls-… Andrei Popov
- Re: [TLS] Call for adoption of draft-thomson-tls-… Andrei Popov
- Re: [TLS] Call for adoption of draft-thomson-tls-… Ilari Liusvaara
- Re: [TLS] [EXTERNAL] Re: Call for adoption of dra… Andrei Popov
- Re: [TLS] Call for adoption of draft-thomson-tls-… Stephen Farrell
- Re: [TLS] [EXTERNAL] Re: Call for adoption of dra… Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Call for adoption of dra… Martin Thomson
- Re: [TLS] Call for adoption of draft-thomson-tls-… Salz, Rich
- Re: [TLS] Call for adoption of draft-thomson-tls-… Christopher Wood
- Re: [TLS] Call for adoption of draft-thomson-tls-… John Mattsson
- Re: [TLS] Call for adoption of draft-thomson-tls-… Andrei Popov
- Re: [TLS] Call for adoption of draft-thomson-tls-… John Mattsson
- Re: [TLS] Call for adoption of draft-thomson-tls-… Andrei Popov
- Re: [TLS] Call for adoption of draft-thomson-tls-… Rob Sayre
- Re: [TLS] Call for adoption of draft-thomson-tls-… Rob Sayre
- Re: [TLS] Call for adoption of draft-thomson-tls-… John Mattsson