[TLS] draft-green-tls-static-dh-in-tls13-01

Matthew Green <matthewdgreen@gmail.com> Fri, 07 July 2017 07:02 UTC

Return-Path: <matthewdgreen@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56DA5129B25 for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 00:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVghV1eJ9yFX for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 00:02:45 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A4A1126579 for <tls@ietf.org>; Fri, 7 Jul 2017 00:02:45 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id 16so20572382qkg.2 for <tls@ietf.org>; Fri, 07 Jul 2017 00:02:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=LMRyJYATXhkTZpIuh1jzPgOgRDuMvq9JfFiP7CQ3yQI=; b=ZOT9T6/q/Mn49oX4UDAYsIyM70C8iQ27b6luEnLuPCrDIFH7gMzVKYhLv/0E1FrOYw ItZ1uBOBkGHxAiEdW3avIOXhL6jaU+Z3S5W1pYzXgBf7vovb6DrOnu9uBhWKtYpZtFzc FiiX0zksh/qDV+6zO344cF2DBo2rdjPy/k212lTAGHxfESb4geeQhYB95eU4k0TBYzUE 0lgwOV++gs07Mdx0iDPoWsKHB2vmjFtQAvj59fDFAl9pyBHzAsfCQx/NzKyJUL2G3feU qlCqlfh6CA4qmdLPEHXB6FhDOb1RwWiMlGt4qnL6Sy9J70NJ7jjWP1p9sTlTc9EIqitd iKVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=LMRyJYATXhkTZpIuh1jzPgOgRDuMvq9JfFiP7CQ3yQI=; b=nul+VEx0ZiXLF8dn059tKiJhRvq1cRdX6m0AbyGtEHERd+U7DDHn8xoSH8gXkoTB7C Gb76LsJtFNUeUzWnKbpqZq2v51XWzfJ5tewinZIGzhyHX6/p1Pxo/XaG6dz7c612gIxa KTI07/N0zGAuirQBxjGgmUS1YJvO0F25jk7fGMPFs4moAqDi13hQpRnoevXfED9CUmIH 3gcN46VXUSxbtk60pBa8ZvvI/R1qUYBwBuw5uZ7m5k8VDuxFHWkfQM5IuFKlgmcMRM16 73rv8jms7caNQDOy0bbSFXmbib5otpdcJ/gNvX4DJx4gyyK7+/xmqkAb/1HVk2WKA5Us O2/w==
X-Gm-Message-State: AKS2vOxIc9gBu9pIA4384k8zidbUdUuEqe8lpM+fIGg3uiUPlkTh8+uB OtEwdkLshi54vr5qa4EBx8Hs2neQpDH0ldw=
X-Received: by 10.55.1.140 with SMTP id u12mr66247423qkg.108.1499410964306; Fri, 07 Jul 2017 00:02:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.176.109 with HTTP; Fri, 7 Jul 2017 00:02:43 -0700 (PDT)
From: Matthew Green <matthewdgreen@gmail.com>
Date: Fri, 7 Jul 2017 03:02:43 -0400
Message-ID: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="001a11405320e6623b0553b4d108"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ix_Pepa3xfZFV5ux0K6Ve4K10uo>
Subject: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 07:02:47 -0000

The need for enterprise datacenters to access TLS 1.3 plaintext for
security and operational requirements has been under discussion since
shortly before the Seoul IETF meeting. This draft provides current thinking
about the way to facilitate plain text access based on the use of static
(EC)DH keys on the servers. These keys have a lifetime; they get replaced
on a regular schedule. A key manager in the datacenter generates and
distributes these keys.  The Asymmetric Key Package [RFC5958] format is
used to transfer and load the keys wherever they are authorized for use.

We have asked for a few minutes to talk about this draft in the TLS WG
session at the upcoming Prague IETF. Please take a look so we can have a
productive discussion.  Of course, we're eager to start that discussion on
the mail list in advance of the meeting.

The draft can be found here:

https://tools.ietf.org/html/draft-green-tls-static-dh-in-tls13-01

Thanks for your attention,
Matt, Ralph, Paul, Steve, and Russ