Re: [TLS] Delegated Credentials and Lawful Intercept

Subodh Iyengar <subodh@fb.com> Fri, 01 November 2019 20:34 UTC

Return-Path: <prvs=6208e8ca67=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCFE12006A for <tls@ietfa.amsl.com>; Fri, 1 Nov 2019 13:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=m/zPaoqg; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=fDlFUdAk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzCHlzT7hLQ1 for <tls@ietfa.amsl.com>; Fri, 1 Nov 2019 13:34:13 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11450120013 for <tls@ietf.org>; Fri, 1 Nov 2019 13:34:13 -0700 (PDT)
Received: from pps.filterd (m0148460.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA1KXwts030924; Fri, 1 Nov 2019 13:34:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=u9vvbBBqMqHE6sTN0TgiiavgSqTfIAl8DLGweGSbk38=; b=m/zPaoqgIFi53y4mmlNLwOpDq24KYWPwjMjTRkUl9212EYxJ9iXt1Ux+C5Yud3RnG6PT qyFBALRGDVew5e/CgUozWZ73i/p+5phdAahFZJ1lwPmkFYf8lRirr3oVbXfzc+fpncH7 UYIXVhMdNF0JJttvvcpYSwSCwp1GrmGydUM=
Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com with ESMTP id 2w0rsq917x-9 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 01 Nov 2019 13:34:06 -0700
Received: from ash-exhub103.TheFacebook.com (2620:10d:c0a8:82::c) by ash-exhub204.TheFacebook.com (2620:10d:c0a8:83::4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 1 Nov 2019 13:33:49 -0700
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (100.104.31.183) by o365-in.thefacebook.com (100.104.35.174) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Fri, 1 Nov 2019 13:33:49 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iYd7DgEyltZqQ137OU0d7BlO804N2c7QjlV25rsjrToiyIrWSw69rSSmm3IAFEv4ssoxOZs8jeTT9Lsst5Wdz8z25XNmNrf1a9Vy+KzTwBk+d71gYJhts18IrZWoVazktX6gRnaQv46WRcdhXxBWOZmn9Cw2C1wdO3/1LxKYUsXlLKgY2+JkbXIwgpr9I8IvfpUJAdAzEsuBSEZcxIV/4F4NYMtyK6dB2OxOC7o0wQZ/9be7TZCBZ1lDADQM5TpuySOn1X0zgHY5mX70uwDj1RiGYL6SmuZNRRj3PFqUYPr3GrrOsf79oAV1S1MrKIEafpBSUExsd0YHSx6tqhQMkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u9vvbBBqMqHE6sTN0TgiiavgSqTfIAl8DLGweGSbk38=; b=AQmkGoNb1ipL1wkFMOZDZvtO5dQNH46UcRXGlk9aY8q0mlkh9IcOVcQ4petMHG/6V/BEi+5h5mY2/csfdq2Q6aN5LesKSRBFDLshrJ/T27b7uArYlSxMc9aqq3zYVeWMV6V0100CWkLmkhRWBYXknFbftCLy+qaOT9pnHWoCfv+MSjhtd3JFXGCU0GYJzEPO/ucuDoNtUXhjmsiuDCcVDwnlzLYpm1QaC/OupLHYD+A9bTEtgsIgjt9RPk/1neC26ULPSEbEjRzaqD9Lm2lzuhJs0974vuKtqxCV2nEvC/tfa0PySxdDIK6NjmZfEu/uKoKLwI70owN4vZ6q8gxEYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fb.com; dmarc=pass action=none header.from=fb.com; dkim=pass header.d=fb.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector2-fb-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u9vvbBBqMqHE6sTN0TgiiavgSqTfIAl8DLGweGSbk38=; b=fDlFUdAkko4qfb0hRAQm2C4tmnvUBCnT+dfFYPOlab7Qw5IUrY9xKwitooz7yaEg0VLe96sUpmm4p3bLkpRpBPW2fwwTa+byWSVy1edz4iPUpgPikeLDz++Vqh2bUAJ9VaQvQ+AVWyLCjgFyE9MHDQg5tp3GfO1XKqCqb1E/L8k=
Received: from MWHPR15MB1821.namprd15.prod.outlook.com (10.174.255.137) by MWHPR15MB1566.namprd15.prod.outlook.com (10.173.234.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.23; Fri, 1 Nov 2019 20:33:48 +0000
Received: from MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::51e5:dfc2:72a1:da9]) by MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::51e5:dfc2:72a1:da9%4]) with mapi id 15.20.2387.028; Fri, 1 Nov 2019 20:33:48 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Florian Weimer <fw@deneb.enyo.de>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Delegated Credentials and Lawful Intercept
Thread-Index: AQHVkPD9+4+EWuIzlkuZhOUV6y7gqKd2xC4T
Date: Fri, 1 Nov 2019 20:33:48 +0000
Message-ID: <MWHPR15MB18211790250034085A9E3123B6620@MWHPR15MB1821.namprd15.prod.outlook.com>
References: <87zhhfcq2i.fsf@mid.deneb.enyo.de>
In-Reply-To: <87zhhfcq2i.fsf@mid.deneb.enyo.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2620:10d:c090:200::1:7bdb]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 04db2868-a6f5-48ea-3feb-08d75f0acccd
x-ms-traffictypediagnostic: MWHPR15MB1566:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <MWHPR15MB156696770506F39BDEFD2D1EB6620@MWHPR15MB1566.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 020877E0CB
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(136003)(346002)(366004)(39860400002)(189003)(199004)(25786009)(71200400001)(54896002)(71190400001)(186003)(74316002)(102836004)(46003)(6116002)(66446008)(478600001)(229853002)(966005)(99286004)(6506007)(53546011)(19627405001)(6436002)(7696005)(9686003)(8936002)(105004)(2906002)(76176011)(55016002)(66946007)(6246003)(76116006)(66476007)(66556008)(64756008)(6306002)(52536014)(5660300002)(86362001)(14454004)(236005)(316002)(2501003)(7736002)(256004)(81156014)(110136005)(8676002)(33656002)(11346002)(446003)(476003)(486006)(81166006)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1566; H:MWHPR15MB1821.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XouVdK492pS23aCz6a6S4lISd1h4AXAVwkOTniSfJyBAPY4rew4LYv04I2fpLYrw5+8s3nmL+arVnM7t6JYf9tUEPxWhsX7d+LSYGK6ZkPDDYosfRHoaWoXXGvx1umSFq3iewzn0ckYzTKLHKYnOTs0p+xSSjpIThMNm+Fsk6Dc5eV3n5u0U3Hd7MjxQF32bxKZ7Gbtaamp7f6mElmqGncVcBqYoVetYax9cO3FRHWj8Xl75cz9lus8HErYjQIGhPVRFypLH/rJybdfIoCnU39SPGj3CpWbWFqZC+lYyi5tgdbZQ82tPvYXKz9qtHDKc72S2p/InAds0SOzuDJUskW0oYtqaSbnnXD/4c1oJT1Qs941PDcnHJgtOrrIPzWNu6DdDXlwDcjyLI0tD1s0W9XCKGLVh9gLv4XPCAbrfwt9YGN1X5VXEWdvzIsbh4jwmEDsAgxM4kyKLccUJ26zSu0r4pENR7Q0vQ6Z8KwD9e3E=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB18211790250034085A9E3123B6620MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 04db2868-a6f5-48ea-3feb-08d75f0acccd
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Nov 2019 20:33:48.4880 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /CDHf9t3Az7A7HMUFwJnmI7UlPgJL9E7JO0QI582Vq259Oq0b2fRxvPijDoBZKQI
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1566
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-11-01_07:2019-11-01,2019-11-01 signatures=0
X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 mlxlogscore=999 adultscore=0 suspectscore=0 phishscore=0 clxscore=1011 priorityscore=1501 impostorscore=0 spamscore=0 malwarescore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1911010190
X-FB-Internal: deliver
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/irnmuOvFL8_CfBdYN7Jz34DKGAM>
Subject: Re: [TLS] Delegated Credentials and Lawful Intercept
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 20:34:15 -0000

I do not entirely have context on for the requirements for something like that, I would imagine that the requirements would be significantly different and would need to be clearly defined.  However, at a high level
I'm not sure using a DC would be different from a provider obtaining a certificate for a short time duration instead. The DC use case for short duration is for increased reliability during normal service operation, however for these kinds of cases, which might be one off use cases, one could obtain a real certificate.

Subodh
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Florian Weimer <fw@deneb.enyo.de>
Sent: Friday, November 1, 2019 1:13 PM
To: tls@ietf.org <tls@ietf.org>
Subject: [TLS] Delegated Credentials and Lawful Intercept

Would it be possible to use delegated credentials to address lawful
intercept concerns, similar to eTLS?

Basically, the server operator would issue a delegated credential to
someone who has to decrypt or modify the traffic after intercepting
it, without having to disclose that backdoor in certificate
transparency logs.

And in a data center scenario, perhaps people feel more comfortable
loading those short-term credentials into their monitoring equipment.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=t6MvhK2KrPUKpEpozCS52kUs5eut_Pp-vjNPUa2R8gw&s=B6JEL8LBe1zq0d4EA0GgjAf8-H3ocB-zBLNnDTFkToM&e=