Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

Benjamin Kaduk <bkaduk@akamai.com> Fri, 04 May 2018 21:48 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B6112DA0C for <tls@ietfa.amsl.com>; Fri, 4 May 2018 14:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7trtUpNI_enJ for <tls@ietfa.amsl.com>; Fri, 4 May 2018 14:48:37 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA54212D80E for <tls@ietf.org>; Fri, 4 May 2018 14:48:37 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w44Lkif0011766; Fri, 4 May 2018 22:48:37 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=jan2016.eng; bh=eSEjJ1mtJV3QHTu8Kz54L4JHilB3zf8v6yAkjvLlvto=; b=NJi7BAMhU5TGid4ldgcN8UaVW5xRyokd2UV1+ZjgU54VwDp2VJUMtgXljREg5NhzCMSH hp3UyluNL8EssjQiRFJjHY6tbb0pLbnSVsrw2909gwM6iHICq9eJLwRt7dq+rsWANMWG gt/Ucsj8gEPpvBNnETuZZllvUdbncynIyRRKhw6YMhqfVNoVtLE3dYJVsDApYEzJ/kvt LWgemBzZ63RvH4AHlEtE6bBtMb8P4wPQFUY/hjED/i9wp+MHkseMJ24lFjZvokS/E8b2 MdYQs3WPtc69jQ4MjPO1saWtgMXy1hIyjDKcXCd6V+nE1uMs6Zr7qzKHkRG+AlZpsC7V mQ==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050093.ppops.net-00190b01. with ESMTP id 2hqemvf5ef-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 04 May 2018 22:48:37 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w44Lk2uZ022700; Fri, 4 May 2018 17:48:36 -0400
Received: from prod-mail-relay11.akamai.com ([172.27.118.250]) by prod-mail-ppoint2.akamai.com with ESMTP id 2hmm9vc9u5-1; Fri, 04 May 2018 17:48:35 -0400
Received: from bos-lpczi.kendall.corp.akamai.com (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id CB1B11FC77; Fri, 4 May 2018 21:48:35 +0000 (GMT)
Received: from bkaduk by bos-lpczi.kendall.corp.akamai.com with local (Exim 4.86_2) (envelope-from <bkaduk@akamai.com>) id 1fEiZ9-0002we-76; Fri, 04 May 2018 16:48:35 -0500
Date: Fri, 4 May 2018 16:48:35 -0500
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Roelof duToit <r@nerd.ninja>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20180504214834.GS5742@akamai.com>
References: <4E347898-C787-468C-8514-30564D059378@sn3rd.com> <96B30D45-BAA9-4798-B222-F7890157A434@nerd.ninja>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <96B30D45-BAA9-4798-B222-F7890157A434@nerd.ninja>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-04_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=290 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805040196
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-04_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=284 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805040196
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Y8uIc5QYkmUkphuHg5BrGWfzswU>
Subject: Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 21:48:39 -0000

On Fri, May 04, 2018 at 11:20:55AM -0400, Roelof duToit wrote:
> How will this (and any mechanism built on top of RFC 5705 exported key material) interoperate with middleboxes?  This use of the mechanism is not negotiated on the TLS level, so there is no extension for the middlebox to strip that would warn the endpoints not to use exported authenticators.  Are application level proxies the only compatible middleboxes?

I'm not sure I properly understand the question, in particular what kind of
middlebox you're considering.  Note that application protocols will need to
have some way to negotiate the use of this functionality, which presumably a
middlebox could also inspect.

-Ben