Re: [TLS] chairs - please shutdown wiretapping discussion...

Russ Housley <housley@vigilsec.com> Sat, 08 July 2017 17:17 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11C7F12ECB6 for <tls@ietfa.amsl.com>; Sat, 8 Jul 2017 10:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3fjDR1hLJOZ for <tls@ietfa.amsl.com>; Sat, 8 Jul 2017 10:17:40 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B9712ECB3 for <tls@ietf.org>; Sat, 8 Jul 2017 10:17:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 971ED3004C3 for <tls@ietf.org>; Sat, 8 Jul 2017 13:17:39 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id P757spVA-aX7 for <tls@ietf.org>; Sat, 8 Jul 2017 13:17:38 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 10FD930043A; Sat, 8 Jul 2017 13:17:37 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <9F15A30E-92B1-4143-8285-8A652E914F50@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4A7BDC70-A3CA-465C-8ABC-2E5C071C7054"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sat, 8 Jul 2017 13:17:36 -0400
In-Reply-To: <CAHOTMVLXzgnvcZsSjUgexpqeTZROUz9gaHO8oa8ox4hS7awQYA@mail.gmail.com>
Cc: IETF TLS <tls@ietf.org>
To: Tony Arcieri <bascule@gmail.com>
References: <b8baf87c-6648-96aa-4275-924fee07f774@cs.tcd.ie> <CAHOTMVLXzgnvcZsSjUgexpqeTZROUz9gaHO8oa8ox4hS7awQYA@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TJRhVnHIpN1iiJ3z7oMkHUz5hAs>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2017 17:17:42 -0000

Tony:

I want to highlight that draft-green-tls-static-dh-in-tls13-01 does not enable MitM.  The server does not share the signing private key, so no other party can perform a valid handshake.  Further, the server is choosing to use a (EC)DH key that was generated by the key manager, so it is quite different than the mandatory key escrow used in the Clipper Chip.

Russ


> On Jul 8, 2017, at 11:39 AM, Tony Arcieri <bascule@gmail.com>; wrote:
> 
> I was one of the people arguing my hardest against the BITS Security proposal to continue to (ab)use RSA static keys to allow passive MitM, even though TLS 1.3 had already moved forward on what I would call a more modern protocol design of the sort I believe payments companies should embrace to improve their security.
> 
> That said, if people do want to MitM themselves, I would rather there be a single, easily detectable and very explicit way of doing so, as opposed to sketchy, incompatible, ad hoc mechanisms. Furthermore, it would be nice to have a clear answer for these users, less they continue to make (bad) arguments that there is something fundamentally wrong with the design of TLS 1.3 that makes it incompatible with "industry requirements".
> 
> Clearly there are echoes of the scary protocols of yesteryear, i.e. Clipper/LEAP. I think if you visit Matt Green's Twitter page and check the image header you will discover he is quite familiar with these things, and my personal presumption would be he is not displaying this image to show his undying love of the Clipper chip, although perhaps he's an especially crafty and duplicitous NSA sleeper agent.