Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
Kurt Roeckx <kurt@roeckx.be> Mon, 09 January 2017 23:23 UTC
Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F40129980 for <tls@ietfa.amsl.com>; Mon, 9 Jan 2017 15:23:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i_7odJdvmNyb for <tls@ietfa.amsl.com>; Mon, 9 Jan 2017 15:23:09 -0800 (PST)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [195.234.45.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAD4E12996F for <tls@ietf.org>; Mon, 9 Jan 2017 15:23:08 -0800 (PST)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id AA301A8A0985; Mon, 9 Jan 2017 23:23:05 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 6C0AB1FE059F; Tue, 10 Jan 2017 00:23:05 +0100 (CET)
Date: Tue, 10 Jan 2017 00:23:05 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Adam Langley <agl@imperialviolet.org>
Message-ID: <20170109232304.pn3azqexniw3nvdu@roeckx.be>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <CAFewVt44xm3rgm=n8PpEcqbTvC-Ei2EvoJciL=+m2UnQ-fUm2A@mail.gmail.com> <CAMfhd9Xq4RA6XBqLZtsbWSnMk4SnvZLC9V3_gCH-FzyVBMg4xg@mail.gmail.com> <CADi0yUPSkBhyuX7utW1tsVkkbDc6YgBLie41qWPwbo+X6CpuZA@mail.gmail.com> <1483330131409.25713@cs.auckland.ac.nz> <5542029D-293A-44F5-9A11-62F5C47A4BA5@gmail.com> <CABcZeBOa7rNSX-bZgQ4HS02XX0c_bMMfTMPfpmtxyq7DrnpmuA@mail.gmail.com> <071A0098-8E03-4DCB-AA3F-4AD9424C9493@gmail.com> <CAMfhd9VgvMneT--VqgZ2VnwkbHuorE+ZMoYx_UnSu2QkPLaNmg@mail.gmail.com> <CAMfhd9WkTued8WnHfJ8=My21UGngfKNANPcL04BohKTJ2F4z6Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAMfhd9WkTued8WnHfJ8=My21UGngfKNANPcL04BohKTJ2F4z6Q@mail.gmail.com>
User-Agent: NeoMutt/20161126 (1.7.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gEq5sdbaslTBh-uWXso9zeKJrrg>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2017 23:23:11 -0000
On Mon, Jan 09, 2017 at 02:55:57PM -0500, Adam Langley wrote: > On Mon, Jan 2, 2017 at 3:57 PM, Adam Langley <agl@imperialviolet.org> wrote: > > I don't expect that those who want to intercept TLS connections will > > see a MUST NOT and go do something else. Rather I think they should > > understand that TLS isn't supposed to be intercepted and, if they want > > to do that, then they're going to be breaking the spec in places. I > > think they're going to do that no matter what we do so I want to > > ensure that these "interceptable" implementations don't inadvertently > > proliferate. (Because if everything Just Works when you accidentally > > copy such a config to your frontend server, then it'll happen.) > > I had understood that the desire from some large institutions to > intercept TLS connections arose only in a datacenter setting. However, > based on private conversations, it appears that at-least one of those > institutions does this on their public frontends and will very likely > do something worse than persistent ECDHE if that's not possible with > TLS 1.3. Why can't they just decrypt it, possibly encrypt it with some other key, and store that? Kurt
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx