Re: [TLS] Industry Concerns about TLS 1.3

Jeffrey Walton <noloader@gmail.com> Wed, 28 September 2016 16:29 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB4E12B20C for <tls@ietfa.amsl.com>; Wed, 28 Sep 2016 09:29:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsyR1eGm5sgI for <tls@ietfa.amsl.com>; Wed, 28 Sep 2016 09:29:06 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E7912B191 for <tls@ietf.org>; Wed, 28 Sep 2016 09:29:05 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id r145so68654706ior.0 for <tls@ietf.org>; Wed, 28 Sep 2016 09:29:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mbZRKWK2QRnic8vkurTSiR6w4njlfMNHAkleDLDaJdU=; b=wt14zIZTQ5+qjG3GYh65jQIJJwjRa+7AFyl0dj27vuqpDMgM84yZ0uM5csqQ4ibHCZ lE5qeEUeUcpjI0SB4pE3G0U40GEiOg+r45l+XD+mk88aTHdQdazf7/bnsXWhTdtHz0iO 56fzagfrHzsX0HZ87i9RdcCH6YZ490FpulDUqnxoKmmLCnOfqueIhf2cD6Kp6m18thCX bIgTLveGHudjwFD+0qGvKxXFeJ4IKi4RuHSyA/jXAe+5d9nwKwDWhTlCwyZUjEXllWiq Rs8FpinbTfWpij3OwpEyqtLMeFLlvPHxACn7nYnj0GuZ7MvsI6OKmqLtouORhpGvJoX0 49SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=mbZRKWK2QRnic8vkurTSiR6w4njlfMNHAkleDLDaJdU=; b=IY25iw9pYQNxz5wJfyTlyLxFLTst8ufDH10rdAUO50GJWpR0C3ewtzu6Ydbrle9ip3 xAF0dW0Bjv3oWFdMneDQIhi2r3Swe3uiSTY2lH9CtssKhOzk8TeRVJUbdeHTq8pBlVBt 2iacMgCDPkyJHIK4Wat8vKjkbW5+LwlZD+e60uEfz+qJwOujnC37t15pTm0nzsOUlxVp Bo73eQcXpBrjtIRlj5z34A2+Umq0EYuQTROzGe8mZvidCMAeezdDghUEu55ZS99QCb/m jnbZj6rtH/bWErfxByDtIPInT4J4HKPDnqScMlT/9Eurr9TbkCuG3SvVaL9OVCjm0Hnr EGYg==
X-Gm-Message-State: AE9vXwPR/NTImmFeB/uELN3JoU+vVYATNRUrYHxS76rcYOdZH62eYn+k39WfhF6yMAVKQpmsymYKCPTQbgIF7w==
X-Received: by 10.107.168.70 with SMTP id r67mr41693134ioe.149.1475080145351; Wed, 28 Sep 2016 09:29:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.131.70 with HTTP; Wed, 28 Sep 2016 09:29:03 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF50102182D@XMB116CNC.rim.net>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC6CAC@PWN401EA120.ent.corp.bcbsm.com> <fd4ad423-3614-5330-b687-1b5848e839f0@wheelsystems.com> <4FC37E442D05A748896589E468752CAA0DBC9732@PWN401EA120.ent.corp.bcbsm.com> <b24efbbb594040e794f7513b7e62b3c7@usma1ex-dag1mb1.msg.corp.akamai.com> <4FC37E442D05A748896589E468752CAA0DBCBA55@PWN401EA120.ent.corp.bcbsm.com> <CAGAMPd83CdOM_R5rwPJ+LfWW4V9pv6oBp==mEVexA2hnBB5v9w@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF50102182D@XMB116CNC.rim.net>
From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 28 Sep 2016 12:29:03 -0400
Message-ID: <CAH8yC8=G1RJmNhnECQqWuJ+rT7A9H+383zun4pJ_+J983Q283g@mail.gmail.com>
To: Dan Brown <danibrown@blackberry.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_S2CcOe9Cs4PwyRhfzbpMvlL9Qw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2016 16:29:07 -0000

> It seems wiser for Bob to somehow monitor or log what is being done with his
> own plaintexts at his own server. I know little about existing products to
> do this, but from my theoretical perspective, it ought to be easier than
> compromising forward-secrecy (logging ciphertexts).

+1. I worked on two separate projects where all messages were
effectively duplicated - one was sent as expected and the other was
sent to a logging server. It did not matter what the message was. It
could have been email, chat a pdf or a word doc. Everything was logged
by order of the auditor.

One project was for the state department, and the other was diplomatic
security service. They did not care about efficiency. After the
Manning breach and some other classified leaks, they cared very much
about exactly what was egressed.