Re: [TLS] Update on TLS 1.3 Middlebox Issues

Randy Bush <randy@psg.com> Sun, 08 October 2017 22:39 UTC

Return-Path: <randy@psg.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A96DC133061 for <tls@ietfa.amsl.com>; Sun, 8 Oct 2017 15:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yy-Lz0GDha2m for <tls@ietfa.amsl.com>; Sun, 8 Oct 2017 15:39:26 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8778413495E for <tls@ietf.org>; Sun, 8 Oct 2017 15:39:26 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1e1KEF-0002aq-IU; Sun, 08 Oct 2017 22:39:24 +0000
Date: Mon, 09 Oct 2017 07:39:21 +0900
Message-ID: <m2o9phi7s6.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Rich Salz <rsalz@akamai.com>, Transport Layer Surveillance WG <tls@ietf.org>
In-Reply-To: <CABcZeBPA885itU+O-X+ri_P7Zxqbs1qXUmQFbE9Fc3h5YQfSMw@mail.gmail.com>
References: <m2shetiafc.wl-randy@psg.com> <CABcZeBPA885itU+O-X+ri_P7Zxqbs1qXUmQFbE9Fc3h5YQfSMw@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.2 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fJG2ivtUV6BZH6QBttjtmG-w5xA>
Subject: Re: [TLS] Update on TLS 1.3 Middlebox Issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Oct 2017 22:39:28 -0000

> You seem to be responding to some other thread. As both Adam Langley and I
> mentioned, none of the changes that anyone is investigating for reducing
> middlebox-induced breakage affect the cryptographic properties of TLS.

my apologies.  i can only plead low caffeine (6:45 am tokyo time).

the proper threads would have been
  draft-green-tls-static-dh-in-tls13
  draft-rhrd-tls-tls13-visibility
  etc etc etc

it's getting to be that you can smell a red herring by the word
'datacenter' when it's really vendors of surveillance gear and three
letter agencies.

> On Sun, Oct 8, 2017 at 2:42 PM, Randy Bush <randy@psg.com>; wrote:
                         ^^^^^^^  that's your clock, not mine :)
> 
>> there are a lot of us lurkers out here a bit horrified watching this wg
>> go off the rails.
>>
>> it would help if vendors of devices which break privacy would stop
>> speaking for 'datacenters' and let datacenters speak for themselves.  i
>> have not seen any doing so.  my $dayjob has>10 medium sized datacenters
>> serving everything from banks to telcos to scaled cloud services.  i can
>> not find folk in our datacenter groups who see a need to break e2e
>> encryption.
>>
>> if the interception proposals ensured that user is notified and able to
>> prevent session interception, then i would believe this.  but if they do
>> not, then let's face it, this is all about selling surveillance gear to
>> snooping enterprises and repressive regiemes where people with guns take
>> you away at 3am because your session was decoded.
>>
>> can we please provide real end to end privacy or call this wg something
>> else?

randy