Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 19 July 2017 18:37 UTC

Return-Path: <prvs=8373673639=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F1312EAB0 for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 11:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMLHVZRgVWP8 for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 11:37:44 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 8C80E12711E for <tls@ietf.org>; Wed, 19 Jul 2017 11:37:44 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v6JIbc2s037608; Wed, 19 Jul 2017 14:37:38 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Dobbins, Roland" <rdobbins@arbor.net>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Thread-Index: AQHS/ulwkltwWiCLAkez9/LKtukmkaJYpiSAgAAE/ICAAtZXgIAAGYoA//++zoCAAEWCAIAABMAA///DOoCAAFAQAP//vjeAAAivAYD//8NRAA==
Date: Wed, 19 Jul 2017 18:37:37 +0000
Message-ID: <03E785A6-5C65-4DB0-AFD7-65DD7B4C94B1@ll.mit.edu>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <72BACCE6-CCB9-4DE9-84E6-0F942E8C7093@gmail.com> <a0a7b2ed-8017-9a54-fec0-6156c31bbbfa@nomountain.net> <6AF150DF-D3C8-4A4A-9D56-617C56539A6E@arbor.net> <CAN2QdAGRTLyucM1-JPmDU17kQgAv0bPZNASh54v=XoCW+qj48A@mail.gmail.com> <CACsn0cnc0X5++cOvTNsboda8J42qg3VDquZ4Va-X-YDcggnbvA@mail.gmail.com> <7423703D-5277-4F78-A2ED-1B7E152E7B08@arbor.net> <CACsn0cmo0HXBj7MidTTwkgE+Hwed9SrEODSzN8oURzQHJTW1aQ@mail.gmail.com> <E5BF12C2-B79A-444B-B4C2-90D28B40CCAC@arbor.net> <CACsn0c=_OT8R6SSr0P3RvT7Qx+smfz1DAKjH9Gni+jM8Ue4v5A@mail.gmail.com> <CAAF6GDc9e9TGWVaOjdb83AFH=z2kt41Rje+r4Ureoc6KVgEUJg@mail.gmail.com> <B08F0D98-FAE9-494C-AA96-4CE89792B770@ll.mit.edu> <CAAF6GDdSnCggfsrSG68An348ngR+fcb+9nQcKvJJGFtxg8NzJw@mail.gmail.com> <FDC8499C-FA96-4992-B1F2-C90F6154856B@arbor.net> <9A49F3C7-DEC7-4FEA-9017-B48DAC1D1446@ll.mit.edu> <2FAFADF2-F791-406B-9519-EAB266AC2FCD@arbor.net> <1CA52ED8-3119-41CD-AD51-EA5DC7B77ADD@ll.mit.edu> <AF2CD715-DAA8-460D-A448-FB2DFF42096F@arbor.net>
In-Reply-To: <AF2CD715-DAA8-460D-A448-FB2DFF42096F@arbor.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.23.0.170610
x-originating-ip: [172.25.177.195]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3583319857_1453733097"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-19_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707190290
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ceqWiga8UE-b3E7tyT_lPiVAg0g>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 18:37:47 -0000

    > most of them already carry all that’s necessary (and more) to perform surveillance from inside the endpoint.
    
    Unfortunately, this is not the case.  Quite the opposite, actually. 
    
    It's already been explained why endpoint-based measures are impractical. 
    If they were practical, they'd already be in widespread use, and this wouldn't be an issue in the first place. 

When there is a pool of data waiting for the operator to (figuratively speaking) push a button on a switch and start intercepting the traffic in plaintext – there’s no need to go through the extra inconvenience of using endpoints for that. No surprise.

I keep telling that this pool is drying up. It’s “go to endpoint for the plaintext” or “sorry, no plaintext at all” (or “stay with the old stuff – using old-rotten methods goes hand-in-hand with the bit-rot of the older protocols”).