Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Dobbins, Roland" <rdobbins@arbor.net> Sat, 15 July 2017 07:48 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB0F131AD9 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 00:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJCZV8OKMDmw for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 00:48:27 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0108.outbound.protection.outlook.com [104.47.33.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8187A131B03 for <tls@ietf.org>; Sat, 15 Jul 2017 00:48:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=l3t4Kf0+v45h1Vbfcn6cLJ+VzphSqgwYy9Y7nhYfCVo=; b=CpwJ7E6rb+/tjJYrBdBk31WCNXPiBF1+3deJy+oBx0tsLmEuuS+dt7tmKxB4CiT9Dssj4lxBv8NMRw7smSppzViB4Y7cpMiOMlhtkQSsgdL0xe0fKwHbi2SV7f6bzvIPj9HF6yo3hLcOdVjmZsFDnyLWLX3eWngHMJfhTe2UMi8=
Received: from DM2PR0101MB1039.prod.exchangelabs.com (10.160.129.156) by DM2PR0101MB1039.prod.exchangelabs.com (10.160.129.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.13; Sat, 15 Jul 2017 07:48:25 +0000
Received: from DM2PR0101MB1039.prod.exchangelabs.com ([fe80::810f:2255:5d85:2fc7]) by DM2PR0101MB1039.prod.exchangelabs.com ([fe80::810f:2255:5d85:2fc7%17]) with mapi id 15.01.1240.022; Sat, 15 Jul 2017 07:48:25 +0000
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
CC: Russ Housley <housley@vigilsec.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF TLS <tls@ietf.org>, Matthew Green <matthewdgreen@gmail.com>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Thread-Index: AQHS/TNOetAoAc0WMUGwvSG+0rIljKJUgxMo
Date: Sat, 15 Jul 2017 07:48:25 +0000
Message-ID: <C4968C13-3229-43C2-B29B-EC9C01D76D06@arbor.net>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAL02cgRJeauV9NQ2OrGK1ocQtg-M2tbWm2+5HUc4-Wc8KC3vxQ@mail.gmail.com> <71E07F32-230F-447C-B85B-9B3B4146D386@vigilsec.com> <39bad3e9-2e17-30f6-48a7-a035d449dce7@cs.tcd.ie> <CAJU8_nXBFkpncFDy4QFnd6hFpC7oOZn-F1-EuBC2vk3Y6QKq3A@mail.gmail.com> <f0554055-cdd3-a78c-8ab1-e84f9b624fda@cs.tcd.ie> <A0BEC2E3-8CF5-433D-BA77-E8474A2C922A@vigilsec.com>, <87k23arzac.fsf@fifthhorseman.net>
In-Reply-To: <87k23arzac.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fifthhorseman.net; dkim=none (message not signed) header.d=none;fifthhorseman.net; dmarc=none action=none header.from=arbor.net;
x-originating-ip: [2405:9800:b408:a9c1:213f:172e:972e:6441]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR0101MB1039; 7:+H0MU2f94r4KnH6Ucb2hVXipJu0ca6MrvX0lXTuDJ/rfAbqF83bHfXe5LAwd2IaLw+f43v2hHqIWH4xyHNfr43Yl33L1qAsaehJuKHNF86w2RdVV1wF+7RoWp+m+Ae2RaEI7p13MpUwtFRYU8JgYXAiIefS/X35Gymdbf6GJ4nkS61NDUsZat6O3B62jYx/BqwqhysfCPDo2sJIg9Gm2U+tR2tKJpAOJftNHuD/U14FkE2ZdTBe2mZkbPBvf03j0hgP758o5MDRa6l+C2dp0XcZYE++strXL1dHIBBK5kheKk6CiAhEHYrkHSCyS3i/2eAZaItXQFucSt58uP21N1oyRGlVuCc2TJGktlIBheP9zXXJdbKJ+uj1FqSdccIzF3PeDgzI3RPAvKUtcQC5O9MzGeF47wlDjFvvrRPNfWeojfTyHIi8FVuxbG8lKDt+OLxoWeW3r3oSUENIiCxhjkkJXWsgRkPOFSFqP37eKNR/uXOvWUpES8D/U46/+4CbJ//d8Eo6bh7Rm82TCF5wWjaz8ZlUzlvVpj40tXThRIqFFK1AhAI04C4Sx8EcAjSFrwbp1r2PFjHUEbD1XCeH3YJiKp8R+wio36QXjQvfFq2E518X+mpfdtp5Ggv7ex2mmAo2uwN3rbb1m9RAdDHcHzFYLUht/xqMi8i9DfqiIA3jtU5tcEEsQGZs6Le6b1eeuABnm0zmhVGQZ1TtQmsjMqtANP3e7E+CuPOZsdgCpshoDp5jPYoq5ByRQzq2SiZCgIY0wvm3497fJhH6VEDsCkqjojGmHzlq5JiX73sWRylE=
x-ms-office365-filtering-correlation-id: 65b9f3ba-0433-4654-fd8d-08d4cb55dfeb
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR0101MB1039;
x-ms-traffictypediagnostic: DM2PR0101MB1039:
x-exchange-antispam-report-test: UriScan:(278428928389397)(236129657087228)(192374486261705)(158140799945019);
x-microsoft-antispam-prvs: <DM2PR0101MB1039E5296F028F8BEFACE057CAA20@DM2PR0101MB1039.prod.exchangelabs.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(2017060910075)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123555025)(20161123564025)(20161123558100)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR0101MB1039; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR0101MB1039;
x-forefront-prvs: 0369E8196C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39400400002)(39830400002)(39450400003)(39410400002)(24454002)(478600001)(189998001)(3660700001)(6436002)(6116002)(33656002)(230783001)(305945005)(102836003)(7736002)(93886004)(3280700002)(2906002)(53546010)(54906002)(99286003)(39060400002)(82746002)(2900100001)(14454004)(6512007)(54356999)(50986999)(53936002)(110136004)(6246003)(38730400002)(76176999)(6486002)(8936002)(5660300001)(2950100002)(4326008)(86362001)(229853002)(81166006)(36756003)(6506006)(8676002)(5250100002)(6916009)(83716003)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0101MB1039; H:DM2PR0101MB1039.prod.exchangelabs.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2017 07:48:25.4120 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 54f11205-d4aa-4809-bd36-0b542199c5b2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1039
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bpybAMg49gk4mHn1A4YW0tWGEuU>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jul 2017 07:48:34 -0000


> On Jul 15, 2017, at 13:26, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
> (b) we know that network capture is widely used adversarially by the
>     kinds of attackers that TLS is explicitly intended to defend
>     against?

Because we know that network capture is an absolute, unquestionable requirement in order to defeat adversaries who are both prevalent & who can actually be defeated. 

There's no talk of 'privileging' anything. The talk is about not arbitrarily depriving network administrators & security personnel of the tools & techniques they've been using for many years and with great success to troubleshoot & defend their networks, applications, services, & data. 

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>