Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Roland Dobbins" <rdobbins@arbor.net> Mon, 17 July 2017 10:42 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7FB131B56 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 03:42:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfaDYXAvFj9R for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 03:42:31 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0128.outbound.protection.outlook.com [104.47.40.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B433013189C for <tls@ietf.org>; Mon, 17 Jul 2017 03:42:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9Bz0oxd7YSzfq4PS9/+XZ/jzwlgPdX5lP9oWdsVs27k=; b=dkaHxsxIBS3rjPTEN5Emue4DgJJFNQR3TMvQP9b5hxUJzEPWZV5F/DtYuJzyjpwCbcGnqRVBSh1g1km1g1c1GvYALVXiGVqoqIPTvRASNcGFVpnQpRD6azeO3kBM4AIkpSQN9S4/n+l4kPvIH+x9zu9HfgFhpLKEQQB6kwcDqvo=
Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arbor.net;
Received: from [172.16.1.3] (88.208.89.131) by BY1PR0101MB1029.prod.exchangelabs.com (10.160.199.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Mon, 17 Jul 2017 10:42:28 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Mon, 17 Jul 2017 12:42:17 +0200
Message-ID: <7423703D-5277-4F78-A2ED-1B7E152E7B08@arbor.net>
In-Reply-To: <CACsn0cnc0X5++cOvTNsboda8J42qg3VDquZ4Va-X-YDcggnbvA@mail.gmail.com>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <72BACCE6-CCB9-4DE9-84E6-0F942E8C7093@gmail.com> <a0a7b2ed-8017-9a54-fec0-6156c31bbbfa@nomountain.net> <6AF150DF-D3C8-4A4A-9D56-617C56539A6E@arbor.net> <CAN2QdAGRTLyucM1-JPmDU17kQgAv0bPZNASh54v=XoCW+qj48A@mail.gmail.com> <CACsn0cnc0X5++cOvTNsboda8J42qg3VDquZ4Va-X-YDcggnbvA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [88.208.89.131]
X-ClientProxiedBy: DB6PR04CA0014.eurprd04.prod.outlook.com (10.170.208.27) To BY1PR0101MB1029.prod.exchangelabs.com (10.160.199.154)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b75a0f6f-f794-46cb-8ac6-08d4cd0085a7
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY1PR0101MB1029;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 3:N3EEfzNFdN2kFwnlNN74J/LuZEFP2fw5gg0j5JrD0s6q1Gj9/OIk/AVvycMrQY3XoJYBnVyZ7zWhyJzPHuWUg5DcueqZUxcnGFdZB9xNEd6EQQ3B3W1X9fWcNzUGcUfAVR5xOz8CtUZt4hzIKcT9KnaYSy0Y5ziKUob1hkWE7bnzn4RO9BTu/bf/DZUOdPk/NuEbhgoD2oxolgxQaUMyRxDRa742wBUeAh2SuTN4lI+hZpGkkJFD/peHAXw125n3CHIxIHunP+NG5rhRdm8ODAZ38qrddjsGavsY4WvnYSGtEYAjCOzH5YbuAxM6jA9pDqVKsWQtYp/qwyi2RtZpm6ekvWY41SGB3mkIHlkg47Jhir7g2daks/2bAHqwKcHOMeloK7mgZTHRCvJiQDbcxfZlrNeTs358vdgGJXld8sk+qlT+S50u84CMY8cehBGADp0xNwWYUrCpc62dfOxSbPGOgw1sAA6IYzuOFbklmR9Zx2/P6kfkFpIQMJFXiy4jDr/7kxRu54wdiTlcF3TLYaT2MeS34lQQejSAwWCZzlDLi0v3ES5/u3sFKPQbcEqRqZF0tgmtWtWUDVaiMSGgT8o0xZrbo4acPxwPNUIKRP0Pn13QgzmhnzyPwg7Om/3H3YOt6JxIfqaZLAQ3EZU6Vdte/zFIEJ8lbX2wMPIkkDAi5tvRV2tV7D3r8hAXNa8D7oSyVvWo/Jn19n+/Z4SGN5k5n9iuck1Tc4TNdmbWuzY=
X-MS-TrafficTypeDiagnostic: BY1PR0101MB1029:
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 25:X/3DaR0WGspk+j85FHBIsQiy56ATkJ4S0g/emrtOvbGqgdySiPsini/dNilZrkCMV8RqSmTwZu6wCqO1LgPqv72CWU+WeUqoGH23MQS+TcHGdaiz15X+XKlwDcG/K5JefErk5FASG0jwul+jRpuOlTPxt7Q5O/nY0q6IzViGw3ywZWynRrdg5JNF2VCs/dNwNSqN41d23WUmim97QLLr5o8KV5xsCQ5/OYTpZ3WT2CCvfAGi+rbwZPkYYOQuRfdljzX0Zibnv3cYhD64rIya4h59Brd5rcy9MMQ1eGB1Sk3CVXIqtV+dabWRlH8d/wtVBALEFEcua9eH68sWqo3apUYszRFeCzSh5R/q9eZDGMzoPu7NPLTRIq9Fbg23S+ds+VkGsr0bAH0+hN4En9UiwLu6FqQ97nrIv+FlINDz/WNPaPlh310KlooyE7beCbQIx1EEKwUwh9AY9Kni0BWxLkhLdB3dafZWK8oqQBj7tS9mQGXOHgbm/uwK7Z1Fu95J14ez1LM1eQFMkFCs8f23TRLWJxkmFtLwsoWtKW/ujdZOQBtDRu46D+0kkek9to9iW74+S214OFPHefWyvsUrY1FK+rpIpnD76a+dSaHiOEI8zME17eXyzCcBoeViafpyGPkd5wBy2PGzfLuzOueGb5IRtfss3M8A2DIDAIZFDwlcqsx60qWorn/AmZUZ9t56gvd9lT48EA29I4dhXwN9HONcLkKg0vOCdR1a3Zsw+cZ1yVnbZqRsOsTUmW+Q8gFSRSMYATsdi027yeIucD2nfF/UGSgpAMnBDxjYBpcIHkSx3cc2qvKdVRvB1m0P+dub0ooKyevi+rBwe0ZbQtD0wSLtnz1tBVezgZVX0qlCnIWERSK0oeM4SrmZnBh7ldKSQV+2a5GFWh4QKTjgeT6V1kZqpDvskSyKc7nN9yT6HQ4=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 31:dpKYakIWOcz085fMogKWib1LYCul7W4nQbXOpiinDN6PiAYFRc9ZJyeT9WpxP71pEkTIdqzjNKnhWH8rk3pjtqNarZ0SOVwEp7OB65HOOUsD7qTJ1jKhfvyW4B9tX1X8Co+GUdLn+XJ62TB31/vu54m4H1T3AXxS4eN4jNxRY0+FWyf7jKDuF6xvwcgampByCCrdOGWdSqsgOj8cXpF7KWV2lV18qTe8a4LTui/nQ0gpxPAof95yqP+XXVX1wPZtitbuUML5ghGYbc3TOfNwNbrwLMnjrSMyxtGqY6vrCRryr8A2/63+DKZY9qEwEGisPvJoKnxHGtO0XKCCA39M8R3HqmiYrt1PvJMdoUtDD9WCcae06kBDtWXTQxp7On6ag209xdiCiNEDZFnVO+2euqRBW1esqqJOhibyb8zb8I1Not5dlAYTFErGd5S8iZV23B/IlsQW+fhTafF1xs/+BmXi6njx785SOPahrl5HLEjTaOFNeEHZc8Eu8TTLMK/ldXSOsBwSo2GCsOPmO4fAHpvXvzMGWvIFwr/rBLaoty+L4qT+qRGvKgP6o2kJVUyFbAc8ixhiD96Pv5lTahDWPSjZFMHcQOneY856DzdTxaImAA+jA9Btz5AxnF1Wu3PxFOb8vfCVYU3JLiCHQMv02rrl89Kk6J1oq7MDUvONOft2F01X/79k2z2hAtbqCQX3G1S6PEs3vIjTZXjiqV8ALw==
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 20:xtYWROmoB+sdakaT7zQ3hhqDLzkRd03UJaECEdYG56aEQEt7Yt11IawluhSZ8EpQ7UlbceZsbw0EApv8VrJQIBSMRlzr1ERlLzKb/tQ8kx7W3/OOoqllWroUKE91zLM+sQNBEy41EYOYSEEowwj0FASLcW/lnN8hcxIKLFuUcoXNnQqr6w7RxcYbpj3U1Wrpv+FrXZ2eUSOilcR/ObZEJedV/CES63F8wV3mKTs+gddToWdf5CuJ7HHkK2TfMT+5F7yR+lYMBCjAfCKw4HsmXqUswzZDP8tOBDQtp0ehA/MNQ9OkQb64KlXcYAe1NaiW+/CR2DnWLYn/ao2Bd1BZmq0aTtrvdK40+o0kLlIIP4LGUyRdvd4qDsOLVzMhc2HnW7VA0dxL9EKrd1zCiZGr9GnmvuNbxbDeFFMTnSdqEEoHSeGOHK5c6kFTf93QjyYOsUSrjuB+ScMuGMcrGVf+z6IKHItjjILVwDnvrDaV81yL2Q43KjQwMWDZPigEXYF4
X-Exchange-Antispam-Report-Test: UriScan:(236129657087228)(266576461109395);
X-Microsoft-Antispam-PRVS: <BY1PR0101MB10299ACA8AC98C40540048A8CAA00@BY1PR0101MB1029.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(2017060910075)(100000703101)(100105400095)(10201501046)(3002001)(93006095)(93001095)(6041248)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123562025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY1PR0101MB1029; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY1PR0101MB1029;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 4:yjPVg3L7FfjqPxK6Gs9UtumKAZuBSyPoGWOETjA9P95l5MTU4Edyq9pVFvF/x6Xm96T+/UpeLyoTqkkwh+XKwAAM3hpe8A2y/V/52Ka+1PpSyzncTzMvSR3YNMavVS9A0O4c1mZ5HfInmJD/IH0NXkaAtFlGGQU+umSKdBpbS2Y01G3FpVWzhrw7556HH2jCobW1k8S1Il5eaFEu8cFnsPgZt4Qfx1Tq9JWtpH5iBwK4xrv9lBURIcjchqRAnc16HgBxbECAkGXw+1V5bK5IQ7l0xgTefPm9H1maiCMzVI4xFhiBvt7T5seafem2zAogHOPH/KRQxZHt2jk9vAdU2sHFWCrJQmjkFD9zWcH5QLf2kH/7kABfk6ZhkHUBBCzA1KoFk8I0ta44HUHA1cteXTNvavYSgBoDpLVJdcj41wrJS4UiTYfeBFus84tG0G7sNFwiy3p7Im1o7GDmngYyCIy+kQzFfaH0Lwr7qtyFA1hQ53xuRH/AvTdFMzO+0PB8xTcOrazBy8RpH5sWGUQjfIWiaZjKu0+ytEuiRWrby02wpMzfJj7Z0e6S04iDiwqtqod9YJShf5vi8T+h+pxuSSaostV6cEp67wK1wg235UhvW1K5ei6IIp9n2JHD98ZiBxjA9PCd7QEPDMjaZ9oiC/0NIvIupmCNLUi01paonBxx8p8X8YwSefs58Ew21c5LngedxX2ASestJic5lwejUUMvdTuRnnu2cnmBb267ywVbAgHHSxFTJ8uG3ujKMxGJSQk1EM2K69wIHiQM/NuBjr/6dzLocTkMo3lUWvakqUFcxqfawgcAVIXkxhVwz5gjUtle8bCtfkCs3UJ1AFGr6ZgtG3DTbKv6u8QDEl8KLygwckOi4uNy0FwOXabmMElvAI6v1V/G+ZgGsXrtOHmJys2Mc3V6i3GGZ+E3yafe/TkWUL38Rc0INzXlVp6gGN99En4G4MZq3UKbFteM/fww8dxba1QItRjdlou5PnDARbxEP/8d+aZs2Hn9qRF+vreskBFwgpPuC68JEcca2qpONatTam7G2Hs/pCw3cGpPX6hMrdJmGSuDABudwefV23h+eTFIEGUbteH/cVTetg5al1VnxdWqIlGptXMgRoJo14ZDlNpDK7mG7fS3GInZHvTtLfpAieKEUzDmtG8jvpa60NSrZDZKBJkB8V2D0ZbA6bFZzJvECDtoqUBzD7D807gMC88S4ipdon7l/+d0e6G70Ze7KJAHR5AGAKej9ohpEnU=
X-Forefront-PRVS: 0371762FE7
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(7370300001)(4630300001)(6049001)(6009001)(39450400003)(39400400002)(39850400002)(39410400002)(39840400002)(24454002)(6116002)(5660300001)(3846002)(53546010)(82746002)(6486002)(7350300001)(5003940100001)(229853002)(36756003)(93886004)(6916009)(2950100002)(478600001)(6666003)(86362001)(25786009)(77096006)(83716003)(305945005)(76176999)(33656002)(66066001)(50986999)(7736002)(1411001)(47776003)(189998001)(230783001)(6246003)(81166006)(53936002)(50226002)(38730400002)(110136004)(42186005)(4326008)(2906002)(8676002)(50466002)(90366009)(379384003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0101MB1029; H:[172.16.1.3]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 23:HB7/CrIzfANR16U+q5FwdNa7garVXj0hP4ya14iVlJo3JQ9Cma4sxq1RGW6J7W4MuvmMo6z0RFns+wvVqoeAKJ8iS97AYLs7hclCqn2aM4MvfDR0jNkgbmF9vrtL86tYDgjkYsV9k63RMkANp4OJDBOU34K/E8u5OPjHZxTaR/IOFj/WamtbJcn8txcyiS+0ZaS67DM5NOtcubSRvkBGFMMZd06Zgc8wu4zouQqfvdo401V6QmCZGwObBzQKK3NHkMTyQlUT1tfFPSXFWzxvwH8uydbRViBBHzLCSFqXBFCIyGE+p+oxRzSndjCt38IXuc2azqOTsbs4dt2NyOsz/SfZAFY0asCs/HY2MSP1mTN2vDsJ81dyqSxZ6IQUxQ3MjK7b4kFj9q9Z4iAizGVR1kklvRKod3koZET/CELIqefgJ/sE5lwk47utIufAmZEb9m8jgUgjXkjPx2Cgr81ga2AnryFX0rY5zroBAYaRMQfAtV6Ceh574OUxcQpkoy/7r9blaYvUhTm5yHvvUSDMt54z420VKb9y6o+YQUcfdMQMkxyLOrT0EG1Vk1j21pDumn2YNT4jaCXNMWRWspTYjz6hcP+VDWSngOdfmhvXqLGU7YFMFJRCdbYGUojk9fsVeaW9RFJTdyiJ+jz6inhLDNxsJ3ZK40hc4+SDS1wwS+cydW1Vc0Pws5usCedzFMELN0tl8njFF8FSXxpOmAZvmrzohiB+RFMMByVp3oZP8W/+4pUaBfGL2mDk+8Pkk+7PcF9jCXZ25VYJOQgTFsDBTBqLYW+pWHaQ8aJKNJGby3ZI55rhrMbjbblwNvhx0IKA0OF/N2LN+ntKuszSRoGbz+zq3eIQ/FKw5pLStzyXG+sx9icS+M505eDCNccpdIaMzWw29SlecQp1LiXDbXQgOk2KoQCACE0f+uSwB4m5l+8b/zTBgUZP1h9bXOF1dSxg1VBbBBtPM2x/PG/GCj6BRLRfK98UlRp2WTYhs/wJFU5Cu0hg0i4dfoq1dAzV3cP0jGwdlW+d0ezfy9UJju1DrpglWl8lJhegImX3HtYi3XKnZWkZK3Ubuw2n2qAiegeEthhRg3NOAM60tTR/HxcW/JeiweN3zDHISmjgyZKdss1Hfe0/UG1Tw/R10iNCKiafFohX3ULWXNrZ6MBvI1nAcP28dELZBpFcUE2GNfUFykDT1Vc0mVmID6eJzzR3K0l//vnu5cM1xj95YunsTZvcjohqHqvLA3c3GIk0RR8jzZ7EpqhSMK9l4gzNWpUdQPMyzflEz4+ZdvakfVcR3qB5gQ==
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 6:Rx90VUhgdkW1c8UsHjCH4+bpg1jV8Q5l5g5MDZF1FpKjql46sEN8VgbLu8lxZJtxV4kGYNCetBF1P/3v2TjvL9DCdAiYdLPVu4qCzscrzIxpHUZOWiu/uI1N0REEVfXh1lzkvNNpO8SD0bSw8cfmuxgC8hfXsN9ySh1a5gR60m3m1AmuXxlOgMkQAGCKjVN+GDA9BzAQ2luT++RXcw/bbALsjHVmtY08epTWNXJM79f2eosKA6XOPsoChFuyPATf/EZeFdb4wvzDsKOZjhRTMxlkwpH7eXg2lm7oZ1MJOUCwIMpj7YN03OSQaIWLCz2gbxYHa+/AvWFdyjFsxssn5x5b4qf1byvo0o/t9MxUYCQmDOfzoHUEg5Uwg7fQsK/oTY5+xAnOjrdIZK9VZCJwoJPcao+TdHs22UDKJeeMcv8WKG0FyfjO895iZ2hDw+E1HztFHgNPy6jFB4iQd0OKEXt/DCJGGLZbTOTLCCaAcZcbkxLOMtD5Or8Np1k5CgN6pKgQPeV2WgV1JwsKR10QUSKZhH6eJlMabzcsAn9CZPlf10ktUy5C48AmWsWI6SYRUQI9ckMF/TjUIhdBlnyzRgADhkbCqBr77ss+JfvsMJmsPMluE81lVmN4KqUy74Q2JfAAjIhBIYoZ8QjXKBM726h9UtZ9CsUpbqBl0O8M9k9SlWR04l+mNsvXtNb+7FdR3G7gXR9TK1Vn+v+lB23olR8ehltof/YMpifdg0FC3aaxQxXmftTl82+zLMK7PYVujC4MUArIT5EYzioJOxF8i0V4YNWR2tUbT0nczsgMKmSKqkfGzea/fGNMmcAveBU2tnK6BNEqr1HbXOdRJNCK6+KS+n1gUItKrB0I6ExDN+wSwAO1nU/TmTklMLBDIgZP6tblfgesrKMB72zMdjyaZDK3RlTrk9V7XO8TXg+PJNPvBDT0ehvtckqKzC2/S0XYzNUBzzU0tHlli/xi98qYxSsu2jcx8cs4SrtW/HHYW8g=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 5:rkv+zetrqBzO8DEdc3tpk5OC1EB0xk2K+5tjOKjmaX/VZ4rsy/FIOa+bxC8SSC92+D6zCtWmAmm06RBT7FlqbofQ/dW9MJJ9xTry8KuAjGlHqybAnuppe8Edfu7Jq70h8qlO8N94ErQw2fuWrXvKyEh8WuGI0rhOAp3+prjEvvOsjt+ba304oK021S7d9TUeeNQKCgjpItGtAsTsbRsUPBZAQubT1XwQnbw0LRBEXz/FWR8OO41TQ6C3Jr0ZCcWIcqRaMsllkxBou4ifRY53IeQp0LSfdyz8BxVVY/Azzz16KzVLV2oF58m2pcIi+cBdlesCkDYtsPT+F8asgOkcNzRPw8MpboIEEKKJ9AkYxTCtg0adA8vQgFc8YqO9efTW/GhXJ7IdSudIitdlSaO20kQ+Ra96H2JancrWppIGBigbVoweKJNd77cgH3V4QG544qpTP2UkVvu38nX9RwCLPalDzDfQWmwtMdK0yNb6ZpxD8EzEKgtUhKiCIe92cb38; 24:vmH0vLUxBJmvl9fTuCjVMXEFfEBJpIRDSZUuXkjzBB16c2szl1Z6t78VzHDKvlU0YBYx9miFzKTF7hSbF6IONRjVlZ38ywDvktZdRV0tONs=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 7:YGnsT5n/jGux4lIgLiv2WC7EIf/p1ftWgVK920HhQvfOME0ltPheqTy/5V1vJbnKp/jMSKfJHyNholLV4ENifOvXEmhYx4PlSsD98l63x2LbkGToM/FldgjosAnrc72uA0rN+sVwXa0UgBpayhGbMqx4wP44UV48MW39DgN3O0Evp+M27/gakmazOZM2uUqJDDqCfpv2bk85L8aABn1WJWbHTOGeumM23rkvdrNxnFAdLaczrSjYnTeyR4wh2pyErSuqLGOkMUka7ge8xiNaC1LZSDkzTu89BlPSnvIY7SIo3CLXJbmhqrhvzyEI/jJpgcvlwDNN0/PPqBRvyk/texGlRvYmvo+vyyaIVnViZ4ZvLLGztN3wIgMIHp8I9wTQpvESPu2dYu7bXL6A8NRzRsLWWbwRzit+j/iuStEL394KrbmffR/ul47k4k8m/tODujXjIyCQ5ZaPQyT8aE/KB186RcMjgJM1aEz7RC2Uti+jChejx9p4H/DKJuMx3ZimAx7u6+jT68iGBcwJWvxOV8JSGsP5axLVYTjlMmU+5wANccRelglvEsePZ+0c5H1yRWv9HHeVTBhmDtpis9GlUsCg4jTEfd7XRJspLXNAU+u24tpCWaYxttUiqqR0Eu8IFRNIHXchl8kH26h/V0ozkFwqOTld9bPb2BMVpM6MdyR4KXoq7XeTsVcuB8O4G2nDZm2mg/7HCPsBNjr1ZlrtJCWAZfJo00FktK+xm9nDa2JGxonoUhpX1hkTeZdqnnoqREvOLVhK6gmu6Ze+wADzdgxyyngi+FAas6+0kU5TAKk=
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2017 10:42:28.4860 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0101MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hdGbag8ruy55UQ75rmoN4_Bh91M>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 10:42:33 -0000

On 15 Jul 2017, at 3:40, Watson Ladd wrote:

> DDoS mitigation can be done at endpoints

Not at scale.  That's why it isn't done that way.

I'm all in favor of things like mod_security.  But they can't do the 
heavy lifting on boxes which are already burdened by handling legitimate 
traffic.

> If you want to detect unauthorized access to a resource, having the 
> resource which
determines access anyway log that is enough.

This is incorrect.

> Exfiltration detection based on looking for sensitive identifiers 
> doesn't work:

Yes, it does.  I know, because I've done it.

> real attackers will encrypt the data and dribble it out slowly or 
> pretend to be videoconferencing.

Believe me, real attackers do all kinds of things - and the most common 
exfiltration mechanism is to try and get lost in the http/s crowd.

> As for attack surface why is "Press here to get plaintex of 
> everything" not a major, major increase in attackability?

Because these are intranet-only systems on isolated management networks 
with strong access controls.

> Which DDoS attacks specifically?

Among others, application-layer DDoS attacks within the cryptostream.

> And if the traffic isn't hitting endpoints, does it matter?

Of course it matters.

I've not personally had the pleasure of doing this, but I
know it is possible because it is done every day.

> Finally, most software can export the secrets from TLS connections to 
> a file.

Logs are context-free and in no wise have the same value as being able 
to see the interactive traffic on the network in real-time.

> The capacity being asked for already exists.

Yes - and now folks are talking about arbitrarily taking this capability 
away without understanding its criticality to network operations, 
troubleshooting, and security.

The fact that we're even having this discussion at this point in time is 
because of an astounding lack of due diligence on the part of those who 
are pushing to remove the capability to monitor standards-based 
encrypted traffic on intranets.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>