Re: [TLS] chairs - please shutdown wiretapping discussion...

Ted Lemon <> Tue, 11 July 2017 20:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D90671317BC for <>; Tue, 11 Jul 2017 13:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6QNf6of5Sgb8 for <>; Tue, 11 Jul 2017 13:03:57 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 09CD5126DEE for <>; Tue, 11 Jul 2017 13:03:56 -0700 (PDT)
Received: by with SMTP id 32so2536223qtv.1 for <>; Tue, 11 Jul 2017 13:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=j7uwddLdn1QxlFBh7P4IuMKCDW/m+HSNBjNYrJZbhl4=; b=YWOj6cVl4aHtbvRzKjic76JV0RHCr+wHTmf2/89p5KC1wFKD6/jaWjWbqwVFQLIvJY rX2xMo7OeZ7ph9dPa3GzW2bCw9WMUu5weAgvHRdqypE2WDcso/KPe8ZTdxhH8NH2lbaS +LaEPHFE5lExujwTqg/CFUeY6DLdrqTdg2zPqjIVW/5d6kEX1te5eg+s9HXlPS5URSbE hARC/hGbOSHg2d62X96q1f1ZLyIkaU+rB5z5d+YdFRb33m2xS6NGleMUCrFf0DjFzcVW yohqixP2ubLGnEzrA+S90GX1FQyIRLMEDRLmAIVWjUI47/DQ0/DplM+61w963+WnN/ob aVPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=j7uwddLdn1QxlFBh7P4IuMKCDW/m+HSNBjNYrJZbhl4=; b=qtSxcA/Czva+Kyk25FzHVs7Hkl/qQII/UKwj7Y0w8ui1EXZkx2JbjA2dUWk17j0ha7 qx6u2b1nZQF0zKz81ReIFvBilJRCJioPMODgNRT0PBOdtLkfqVmKr1e7sULmtRx9Gnfh TNPEjmFc1b//9UtskYIgGBRPjBaftzjkUGrxyyRq4px+a8bx9VeWrUZbl8sArwQFL/Eo bndKK9ZeZRLeab0Tb2u9b3JmZrZTsK72NgxC26xWES4FxmUPxOllXX/BwkzwpSB6l33l jOCEsyzmGgHxYJa38tItN6MGV5gqbuSSyLiybyAAHQGBeeUfhoFhktsTRsjWKoTqcrIM FvGg==
X-Gm-Message-State: AIVw112Ipf9Yd5gJBvZtze0Zka3rKyzIp0KroEkqtTXiv2k9TBzf03at 5alEEa+sDZiOiDFGnljtXA==
X-Received: by with SMTP id g18mr2341190qtb.118.1499803435946; Tue, 11 Jul 2017 13:03:55 -0700 (PDT)
Received: from macbook-pro-6.ether.lede.home ( []) by with ESMTPSA id q185sm178022qkb.45.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 13:03:55 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0E178CAD-D65A-4FAC-A9ED-B624FA8D5601"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 11 Jul 2017 16:03:53 -0400
In-Reply-To: <>
Cc: Christian Huitema <>,
To: Stephen Farrell <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Jul 2017 20:03:59 -0000

On Jul 11, 2017, at 3:59 PM, Stephen Farrell <>; wrote:
> I can't see that happening. Once the first <> is called
> out for using this, others will make their list longer or take
> other approaches, e.g. use one exfiltrated private value as a
> seed for others via some proprietary mechanism.

Ah, you mean the first time the attack happens in the wild.   Sure, I can see that, but that gains the attacker no real advantage over just exfiltrating all the keys.   Once you make the number of keys large enough to be hard to detect, you have a really big key management problem.   Might as well just make it a logging problem.   So we've forced them to do the thing that makes pervasive monitoring hard and point monitoring easy.   I call that a win.

Note that if we took a distributed approach to discovering key reuse, it would be almost impossible for any large site to conceal.

> Actually, that calls out another reason to not standardise or
> further develop this - any such standard is either undetectable
> or leads to deployments deviating from the standard to become less
> detectable - both undesirable outcomes. That latter case also
> destroys the "but we should scrutinise it" argument IMO as the
> "it" will change to be undetectable and not the "it" that was
> ostensibly scrutinised.

I'm not arguing in favor of standardizing this.   I think it's an attack, and there is a countermeasure which is worth documenting, and possibly worth deploying.   If the working group does a CFA on the draft, I will argue against adoption.   I like Christian's approach—document this in an appendix, _as an attack_.