Re: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)

Hot Middlebox <> Wed, 14 March 2018 22:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F5CA129502 for <>; Wed, 14 Mar 2018 15:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id crzeSQ7twd_R for <>; Wed, 14 Mar 2018 15:08:46 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 25D04126E01 for <>; Wed, 14 Mar 2018 15:08:46 -0700 (PDT)
Received: by with SMTP id z73so2030922wrb.0 for <>; Wed, 14 Mar 2018 15:08:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=76cWdo5JBg/4y8WQhDEcmcSUh/DBu7pWppzxLCsLKGE=; b=ln4jcqWczo+CgytzEDIv2oBVqgHFBbunNdqhDJZOIQ/jomBDiYNOz80Yc0UaLTQWxu VxNtO6osX7RCzGUuG36VwIQhjWFGBhY4c4RAfx02EDyakT6FjsE44R12ZSOTpfYDBWsC dQYR6RejwZNDWep1vLI7sde9MXwlCU99yus/mHi17J/ZlLYGIzuAN6HL5lu1Ok8auH1W o39CDH6KWkx6P14s+iTUpzHy+Pw2mmize9hma8qliKOLDq8XtPisl2vkQu3lf9VUBmnE v7D9OoeovkbFzlsFuNbT0I54lfqjFOF0miQaIDrLyhzV5gc7l93u/Q2R9O+5QwfkBVfM a6xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=76cWdo5JBg/4y8WQhDEcmcSUh/DBu7pWppzxLCsLKGE=; b=GRktK45iNR7MwAhJNEGubhInMnSpjRHR+a9d5bz6lx/b8oDeWbGLY8tfWfIpaMzaQ8 6Wg9cx5HHkBmLoOTKcZDCpXKvi6UTIJn7ORGaAI1TpyDAOoTIeY4Ag/s2DlMN0sEiY/w gMdlnLC8aYL1XDmM/paykUosGJHY+YBQu70TwMTvYIht1X2e/xudWkr6FfPeqYvbeMdU MIT0+0lX/fu7bVuS9xz4v+DQ1SZKYQZJG1Cxub8BfP23+1MXX/yCicUtTiElyBjjURNz brbQWM2GAH8ldH0uhF8UgDVuo9LMnC/7y2P44x29+BxIMmgWe2Zqf4plMdQcy9NJ5WoF dQmw==
X-Gm-Message-State: AElRT7EmjH+0tI92HqHGXZ8ny/XAb8kb66C9SiG+OexV/nbpLQESD6x6 OVzBZ33etmm4wLmUawFgVwprm+VkB85PNHVqHSQ=
X-Google-Smtp-Source: AG47ELuj+QFCT6Fs2myJDgrr/9BWX4SXsfM+q1ZJLKXq11HCyCxqw1qNFC7mUx7Bot2j/04VY1nrw244bhd0m2FxV98=
X-Received: by with SMTP id n16mr5066484wra.171.1521065324453; Wed, 14 Mar 2018 15:08:44 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 14 Mar 2018 15:08:44 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Hot Middlebox <>
Date: Wed, 14 Mar 2018 18:08:44 -0400
Message-ID: <>
To: "Salz, Rich" <>
Cc: Martin Thomson <>, Russ Housley <>, IETF TLS <>
Content-Type: multipart/alternative; boundary="f403045ea6b2583e210567669ec6"
Archived-At: <>
Subject: Re: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Mar 2018 22:08:48 -0000

The requirements for visibility exist in an array of regulated environments
worldwide.  It is one of the presentation areas in the Hot Middlebox

The Middlebox Hackathon site is also now public so everyone can
experience how a browser plug-in client (to be provided) can be used in
conjunction with a fine grained Middlebox Security Protocol for Middlebox
discovery and controlled visibility by an end-user in a way that meets both
user and regulatory interests.  The draft specification will be published
in two weeks.

--the Hot Middlebox organizers

On Wed, Mar 14, 2018 at 9:42 AM, Salz, Rich <> wrote:

> >    So aside from enabling MitM, this also enables session resumption by
>     the decryption service, something that the security considerations
>     neglects to include in its list.
> So I think this is an important point.  I assume the authors did not
> realize this. That shows how hard, and risky, it is to get this right.  In
> the US, we have been having arguments where the national police force (FBI)
> is insisting that tech companies can create a "golden key" that only they
> can use, and the security people are saying it is impossible.  This seems
> like another instance, no?
> Oh heck, let me ask the uncomfortable question:  Russ, did you know this
> or was Martin's point new to you?
>         /r$
> _______________________________________________
> TLS mailing list