Re: [TLS] Update on TLS 1.3 Middlebox Issues

Randy Bush <> Sun, 08 October 2017 22:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A96DC133061 for <>; Sun, 8 Oct 2017 15:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Yy-Lz0GDha2m for <>; Sun, 8 Oct 2017 15:39:26 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8778413495E for <>; Sun, 8 Oct 2017 15:39:26 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.86_2) (envelope-from <>) id 1e1KEF-0002aq-IU; Sun, 08 Oct 2017 22:39:24 +0000
Date: Mon, 09 Oct 2017 07:39:21 +0900
Message-ID: <>
From: Randy Bush <>
To: Eric Rescorla <>
Cc: Rich Salz <>, Transport Layer Surveillance WG <>
In-Reply-To: <>
References: <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.2 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [TLS] Update on TLS 1.3 Middlebox Issues
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 08 Oct 2017 22:39:28 -0000

> You seem to be responding to some other thread. As both Adam Langley and I
> mentioned, none of the changes that anyone is investigating for reducing
> middlebox-induced breakage affect the cryptographic properties of TLS.

my apologies.  i can only plead low caffeine (6:45 am tokyo time).

the proper threads would have been
  etc etc etc

it's getting to be that you can smell a red herring by the word
'datacenter' when it's really vendors of surveillance gear and three
letter agencies.

> On Sun, Oct 8, 2017 at 2:42 PM, Randy Bush <>; wrote:
                         ^^^^^^^  that's your clock, not mine :)
>> there are a lot of us lurkers out here a bit horrified watching this wg
>> go off the rails.
>> it would help if vendors of devices which break privacy would stop
>> speaking for 'datacenters' and let datacenters speak for themselves.  i
>> have not seen any doing so.  my $dayjob has>10 medium sized datacenters
>> serving everything from banks to telcos to scaled cloud services.  i can
>> not find folk in our datacenter groups who see a need to break e2e
>> encryption.
>> if the interception proposals ensured that user is notified and able to
>> prevent session interception, then i would believe this.  but if they do
>> not, then let's face it, this is all about selling surveillance gear to
>> snooping enterprises and repressive regiemes where people with guns take
>> you away at 3am because your session was decoded.
>> can we please provide real end to end privacy or call this wg something
>> else?