IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Dave Garrett <davemgarrett@gmail.com> Thu, 17 September 2015 00:47 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D82621A90AA for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.019
X-Spam-Level:
X-Spam-Status: No, score=-0.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_PROFILE2=1.981, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyT7CyzvU0iw for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 17:47:15 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E1EE1A90A5 for <tls@ietf.org>; Wed, 16 Sep 2015 17:47:15 -0700 (PDT)
Received: by qgev79 with SMTP id v79so1850188qge.0 for <tls@ietf.org>; Wed, 16 Sep 2015 17:47:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=tzswWP1lbflMN8BM8em5uvzXRjXiYukMLoz0PQ2idgk=; b=Om00Rl3gGOe4wA0sqJg4tcBL/8OIhCL/9mKcY+LmwCiCLU7yh+ssY1tktvgKu/VXBe yvyBC+4ZYz84huNWFaA1/mq6QrKouUo7EqoZM2WO9Rxyidq30Z/+jAOodtG/WsYms9W9 e+1Z5N7tcEPXXN/GVmqeCaVP1LkkLN3G8uPXaa6MdQ4DAROBHiP4Xf01JrMXJCWkLPNQ UfNyNzqVh44CdD7FgV2iGIzrK+OlOm3LqQnQYlPesiYyRujC3T+vaRfNICvIU5e/eLJF FkF7XoG5PqKamnNPNYW5CVFksETgf5XU02v6jeKRI4FX9ZE86ps78JygedcPWJQXtTJT 4GTQ==
X-Received: by 10.140.16.131 with SMTP id 3mr46585382qgb.35.1442450834344; Wed, 16 Sep 2015 17:47:14 -0700 (PDT)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id x19sm214408qkx.32.2015.09.16.17.47.13 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 16 Sep 2015 17:47:13 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: noloader@gmail.com
Date: Wed, 16 Sep 2015 20:47:11 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <201509161914.48720.davemgarrett@gmail.com> <CAH8yC8kmz_4W7G_wD+pW56QExm3jYUV8jmHW-g3uLV77g742jA@mail.gmail.com>
In-Reply-To: <CAH8yC8kmz_4W7G_wD+pW56QExm3jYUV8jmHW-g3uLV77g742jA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201509162047.12308.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jj6xwf-f1zR8PW80NlNCw_Ioz4c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 00:47:17 -0000

On Wednesday, September 16, 2015 07:57:40 pm Jeffrey Walton wrote:
> I think it would be wise to acknowledge the "compatibility" use case,
> and capture it in a profile. It would be more permissive because it
> provides compatibility, like SSLv3.
> 
> And because SSLv3 is represented in a down level profile for those who
> need it, then it could be removed from standard and more defensive
> profiles without much fuss.

What's confusing things here is that SSL3 is _already_ removed from the standards.

RFC 7568 was published to say it MUST NOT be negotiated from any version of TLS:
https://tools.ietf.org/html/rfc7568#section-3

I already added this to the TLS 1.3 draft as well:
https://tools.ietf.org/html/draft-ietf-tls-tls13-08#appendix-C.3

There is no legitimate use of SSL3 by any implementation/organization which acknowledges any new IETF standards. Mention of it at all is a proposal to undo this in some form. It's already supposed to be dead and buried and only in use by obsolete junk which isn't keeping up with new standards.

> For me, its about acknowledging "one size does not fit all" and
> managing debates. One size fits all ultimately draws out the process
> and weakens things even though its not anyone's agenda.

This is certainly true for IoT, in current practice, and that's why there's a separate I-D for that.

> Right, a concrete list would probably be helpful. The list should
> probably be based on use cases.

Yes.

> * Compatibility - down level servers that can't be upgraded, and
> clients/UAs that must connect to them

I argue that this is not a legitimate use case, not because I consider it bogus, per se, but because those in this use-case are already not following standards and thus adding a new one for them is not particularly helpful. There is also no such thing as a server that can't be upgraded; just ones for which someone has decided to not allocate the proper resources to do so because security is not considered a priority.

> * Embedded - low(er) capability crypto, like CAC/PIV cards, smart
> cards and Hotelier Locks, and similar use cases
> * Opportunistic - capture email, FTP, etc here. Viktor makes the best
> arguments here; defer to him

Yes & Yes

> * Standard - where the working group would like to be in a typical
> security posture.
> * Defensive - where risk adverse folks would like to be in a defensive
> security posture.

I'm sort of neutral on this, but it could just be about how we frame it. I'm thinking standard and strict, in that strict simply permits no obsolete features for the purposes of backwards compatibility (e.g. TLS 1.2+ with only features which TLS 1.3 allows). This is somewhat different in that I don't think anything else should change, e.g. recommendations of key strengths or algorithms should not change to accommodate a more defensive posture. The standard should be sufficient on its own. What I'm thinking of is a strict profile that would essentially just be the basis of TLS 1.4's expectations, for those who can do it now, not for any special security need. I'm largely against the idea that we should pick and choose who deserves "good" security and who deserves "ideal" security. Special-casing just lets one group race to the bottom, or stay there.

> Defensive is an interesting profile. I imagine it would include TLS
> 1.2 and/or 1.3 only, no key transport, authenticated encryption mode
> ciphers, no HTTPS Pinning Overrides, etc. Then, auditors in industry
> like healthcare or PCI can call it out by name and everyone is on the
> same page. The auditors and organizations can worry less about patient
> or card holder data being leaked because a user was phished or visited
> another organization (that required a configuration change to use the
> wireless network).
> 
> It might also be wise to use "Standard 2015" because in 3 or 5 years,
> its going to be revised. Then there's no confusion when things are
> updated an "Standard 2019" becomes available.

Good point on naming and versioning by year is a very very good idea.


Dave

v2.23.0 | Report a Bug | By Email