Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Yoav Nir <ynir.ietf@gmail.com> Mon, 17 July 2017 15:18 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54B4C131C6C for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 08:18:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aphXwhzCjg_k for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 08:18:22 -0700 (PDT)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82FBD131C6E for <tls@ietf.org>; Mon, 17 Jul 2017 08:18:21 -0700 (PDT)
Received: by mail-wm0-x242.google.com with SMTP id 65so3842756wmf.0 for <tls@ietf.org>; Mon, 17 Jul 2017 08:18:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=31WscweSTr/xhGX+KI1vjg9tm3o2dED3od7pbVLTfwc=; b=Sx2qKIcjEHgj+j7V+isRQgYT2cb3VtmEDD/socR6/MLSS7WACBoOzw0sJ822kmDK1t HZg8EaX+UdtE5HTx8+k7ITk3JuWLyoByuNcPbqEDO8FwOwFYLiAhtl6T9W9OPjUO7QtK GBP8eL+3y/vv9rfQ6Hzed2Mwt7onncDPYxeU82BJZTN/q30aDLp+Qr1NTwQxWyJH0Jcd bpIByQ+Gxbq3wsB70NT+VO98wFgqHT6N7LXtmtWQsAg6vroLx3diYf416fV6nxk64eY3 iVwC8A1kSXjQYog6UcElJSe0oHvUJAjaiQdMV9RGnovcg/92WcfOOOyLwo6eJAADgNIS vVnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=31WscweSTr/xhGX+KI1vjg9tm3o2dED3od7pbVLTfwc=; b=LYbOacZcAB/TvFtwGTYz0o3/0mLunLTPAKh1H/7KxhY4vC5Y9WR9fHkfLL0CgpTdK3 sodE6UKJigQxt69JeWWaYfQ6YO4DVAqTQq7Lmk4Q7rspAFI37KSSASoTys9Nre3Gn/F/ erMZ83yjjOeoiaR3rjJVk8oe6H5UK5jBkhetqoefdHlVIz2F5BgEyalIP++CrKXb1uWH +dyY2CXgqcsm/4Gm2k0HGOYJZcU417+0PLTaV0W9ffbzofhcMnp+u+LiGqKqhVAlSZ3n 8Nb8ogKPnTS9B6cNs50kUZglLk1JrbQZS89aVv1nbO3NPOEoSMwSeovnfpA0TQ0qbGSU OaGw==
X-Gm-Message-State: AIVw113lokxbeFsXnxF/KE4SMtK3ShVcgIv0SIGwo4HF/r1vOTRXRSUF Eg8wjEV5JXX5gA==
X-Received: by 10.28.184.83 with SMTP id i80mr5212562wmf.98.1500304700104; Mon, 17 Jul 2017 08:18:20 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:4866:e216:9a2c:96a? ([2001:67c:370:128:4866:e216:9a2c:96a]) by smtp.gmail.com with ESMTPSA id j31sm11059426wre.67.2017.07.17.08.18.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jul 2017 08:18:19 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <09C9DBF3-75F3-4B59-8522-7ED0D0BA3AD5@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_94DF1173-58C1-45B3-A2C1-504A2F5AC088"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 17 Jul 2017 17:18:17 +0200
In-Reply-To: <52C47C57-DFCB-4378-8C7C-6D8A5AFF3075@arbor.net>
Cc: Rich Salz <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>, Matthew Green <matthewdgreen@gmail.com>
To: Roland Dobbins <rdobbins@arbor.net>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <8b502340b84f48e99814ae0f16b6b3ef@usma1ex-dag1mb1.msg.corp.akamai.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDeSv+T1ww5_nr6NPgg9k44j7y04tJWC=KeaJF7Gtt+TVQ@mail.gmail.com> <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie> <CAAF6GDeGKEBnUZZFXX0y0a2J2+sVg8VaHh-4H9bhN0Zzk-x9uA@mail.gmail.com> <6707e55d-63d3-01e2-4e98-5cc0644e29e0@cs.tcd.ie> <35f4c84c6505493d8035c0eaf8bf6047@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcq6_ML3yHSQTy-t5irYLS10VVzk_R+7nAUKqQpgcCkrQ@mail.gmail.com> <CAPt1N1m_Zi_2faa8KHcXnic4QjXCEDkwnf=RTbo-Crvh6nMC+g@mail.gmail.com> <CAAF6GDfmoFwQSHEF79AmSDBE6W6FwCu2=n-SU7sHipfsfVTeUg@mail.gmail.com> <a5ba6836cab6417c949d536f2a2542bb@usma1ex-dag1mb1.msg.corp.akamai.com> <52C47C57-DFCB-4378-8C7C-6D8A5AFF3075@arbor.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c88AhqU7fvDHH59WKwG7wd1E96Q>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 15:18:23 -0000

> On 17 Jul 2017, at 17:06, Roland Dobbins <rdobbins@arbor.net> wrote:
> 
> On 16 Jul 2017, at 11:19, Salz, Rich wrote:
> 
>> The key point here is Within the enterprise.
> 
> +1

It’s an illusion that inside the enterprise uses different technologies than outside the enterprise. IP was for outside, and yet it’s all over the inside.

In the end, either this is in OpenSSL (perhaps plus a patch) or it’s not. Either it’s in SChannel or it’s not. Either F5 have it or they don’t.

If it’s not, it will be impossible to deploy in the enterprise network. They’re not all going to implement it themselves. And if it is, then it’s on the open Internet, and then at least some people will have it turned on. The border between the enterprise and the non-enterprise is pretty blurry.

Yoav