Re: [TLS] TLS@IETF101 Agenda Posted

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 13 March 2018 22:21 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EF1124D68 for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 15:21:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RH9jlf7jhHlu for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 15:21:50 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0101.outbound.protection.outlook.com [104.47.36.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02ACC129C56 for <tls@ietf.org>; Tue, 13 Mar 2018 15:21:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5qpYPfrggxvqGoVHDB2doY0OgrcwUyA+4NkKAS3KND4=; b=g239DNi36g5CCCObrk5Og/uT6O/WAlRy+nLGb7RdNLuM2B8lSHjsBGccIn4X7q5blHiObvb3UPfCbAXXqodDre5qg6eCgxkW6TMu/x24pFD3AQ73xWBru8jfHMoR/Vla0+DSGfeVX+VKLlEIs2bMZ1jiFh+tLn4fLcqCc0Y8Jnk=
Received: from MWHPR21MB0189.namprd21.prod.outlook.com (10.173.52.135) by MWHPR21MB0191.namprd21.prod.outlook.com (10.173.52.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.2; Tue, 13 Mar 2018 22:21:48 +0000
Received: from MWHPR21MB0189.namprd21.prod.outlook.com ([fe80::6122:609e:a4da:bf1]) by MWHPR21MB0189.namprd21.prod.outlook.com ([fe80::6122:609e:a4da:bf1%12]) with mapi id 15.20.0609.006; Tue, 13 Mar 2018 22:21:48 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, Ted Lemon <mellon@fugue.com>
CC: IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] TLS@IETF101 Agenda Posted
Thread-Index: AQHTtvl6VTcSmehKE0q2yFTVkRjOjaPGleQAgABgywCAAXVYgIAACUMAgACBv4CAAEcAAIAFASoAgAAMrwCAAA5/gIAAAfkAgAABAICAAAZagIAAAWsAgAAVGwCAABigAIAAEqmAgAAefYCAAABiAA==
Date: Tue, 13 Mar 2018 22:21:47 +0000
Message-ID: <MWHPR21MB01893AE7D90F3A9D825BEFA18CD20@MWHPR21MB0189.namprd21.prod.outlook.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <986797a7-81b0-7874-5f39-afe83c86635b@cs.tcd.ie> <CAOgPGoBYc7O+qmjM-ptkRkE6mRsOYgc5O7Wu9pm3drFp3TVa6Q@mail.gmail.com> <d7dfdc1a-2c96-fd88-df1b-3167fe0f804b@cs.tcd.ie> <CAHbuEH7E8MhFcMt2GSngSrGxN=6bU6LD49foPC-mdoUZboH_0Q@mail.gmail.com> <1a024320-c674-6f75-ccc4-d27b75e3d017@nomountain.net> <2ed0gc.p5dcxd.31eoyz-qmf@mercury.scss.tcd.ie> <d7ec110f-2a0b-cf97-94a3-eeb5594d8c24@cs.tcd.ie> <CAAF6GDcaG7nousyQ6wotEg4dW8PFuXi=riH2702eZZn2fwfLQw@mail.gmail.com> <CAPsNn2XCNtqZaQM6Bg8uoMZRJE+qQakEwvw8Cn9fBm-5H+Xn_A@mail.gmail.com> <3F8142DE-EADB-4AB9-A204-7D87ACDCD3E3@akamai.com> <CAPsNn2VE_7+rWT0fp9rrVnZrgcY7ORLWTee+kf_Av1dqm4CiDQ@mail.gmail.com> <CB55AABB-8937-4F6B-B5AC-B6F262F08A4F@akamai.com> <CAPsNn2U_xG28Tumo3oRkQ+6=BHzgv-6YtgNSpwvhdFFRWc7EQQ@mail.gmail.com> <2DC45296-244E-4C72-8B3C-DE47EADAC2DE@fugue.com> <BN7PR14MB23696A2767FF9C1A410110AFD7D20@BN7PR14MB2369.namprd14.prod.outlook.com> <090F06AF-371D-4B11-91AA-BD80C1ADB4E9@fugue.com> <C1970611-C781-41A8-87CA-D00629AC41E7@vigilsec.com>
In-Reply-To: <C1970611-C781-41A8-87CA-D00629AC41E7@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:8::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR21MB0191; 7:lb6db7WvRYZVHwaxXKrxoJV8COis6Rfrvk3XRIWDvhk+teyk+qeMLyZylqs/rkinjAHx/8pncagsm+seRhRm+j3yFmcCLah8R1q+t61fV+F1ypNcOZ40Kg/+dQNaXqbcv+HlxHGd7yS5Rb86vUmLuJMeqbp8BOtwiECFNRWQ3i9rZbHk9e43ch1GfaLfdUa2D2M+GhFzvK9p6RSywyOopzLJf8WbRhNpnzOhVHxT1xGUNMPSxZTwcgEQzd9uErWj; 20:mIg+okenU6iOhJyg2VS/4OmvyIEnvXf5UzT77fVlPgnCsPRZmF/TlvFlgJAV7LFs4bD2Q+yHa1RS/a/Q9H7OKMwu+lW9GUwP3wKEbu9yUFZiisLSv6rehFkmrgyceMD2gPvGSWBzK0vlYskUPPECIwzeu2N8z1Rx4cTilf2v0H8=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 314a8f83-5d69-4785-5ddb-08d58930cfd1
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:MWHPR21MB0191;
x-ms-traffictypediagnostic: MWHPR21MB0191:
x-microsoft-antispam-prvs: <MWHPR21MB019102423C81BF67B2B1964C8CD20@MWHPR21MB0191.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040522)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231221)(944501255)(52105095)(6055026)(61426038)(61427038)(6041310)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:MWHPR21MB0191; BCL:0; PCL:0; RULEID:; SRVR:MWHPR21MB0191;
x-forefront-prvs: 0610D16BBE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39860400002)(376002)(396003)(39380400002)(189003)(199004)(86362001)(74316002)(110136005)(10290500003)(102836004)(76176011)(59450400001)(478600001)(5250100002)(93886005)(2950100002)(6116002)(53546011)(790700001)(6506007)(105586002)(81166006)(2906002)(81156014)(99286004)(46003)(5660300001)(3660700001)(7696005)(7736002)(186003)(6346003)(8676002)(14454004)(8990500004)(6246003)(97736004)(9686003)(53936002)(3280700002)(4326008)(10090500001)(72206003)(25786009)(8936002)(68736007)(106356001)(6436002)(86612001)(54896002)(6306002)(2900100001)(22452003)(33656002)(316002)(229853002)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0191; H:MWHPR21MB0189.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-message-info: 6StnfuWXd3SaAdVhBntJTRTPn/x+N4QII7gf7+/OBr2qgfY5WUPG9M46RtK3SPpH4Dd0AjEgIoFYKqjYUYUsiB226UwI1c/A1TXOc+iLmIw3KSlreiTFTSNctA86As2IEkIiOJOaa5Tg2HybD0RvnEH1EM5F+SGUy+9q0opZIxUGUTGt8dX69DLMK+XKzq7ibUuEadJSFXaFDwK8O9q31+dyRkxNBHk5rnp/7KQ8NvPa4xsSkR6E2CFZ7y/R+qCGwfkvrcOPkxZtLlUJHdS90i1dY5dxUqsSQc2q5tR+DzaBfi15GwsW21QamE/in0UJjXhfXxqFNwm3aIaNnOIbOg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB01893AE7D90F3A9D825BEFA18CD20MWHPR21MB0189namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 314a8f83-5d69-4785-5ddb-08d58930cfd1
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2018 22:21:47.9912 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0191
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lO7eKWCdr-XxiCVZz-so0Cb_q2M>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 22:21:52 -0000

  *   If the client were to exclusively offer DHE-based ciphersuites, then the visibility techniques that have been used in the past are thwarted.
TLS1.3-visibility will be equally thwarted if the client does not send the empty "tls_visibility" extension, right?
(Assuming the server chooses to play by the rules, of course.)

Cheers,

Andrei

From: TLS <tls-bounces@ietf.org>; On Behalf Of Russ Housley
Sent: Tuesday, March 13, 2018 3:17 PM
To: Ted Lemon <mellon@fugue.com>;
Cc: IETF TLS <tls@ietf.org>;
Subject: Re: [TLS] TLS@IETF101 Agenda Posted

Ted:

There's an easy way to do this, although as a sometime bank security geek I would strongly advise you to not do it: keep using TLS 1.2.

This is a bogus argument.  First, staying with an old protocol version often leads to locking in unmaintained versions of old software.  Second, using TLS1.2 does not technically address the issue.  If the client were to exclusively offer DHE-based ciphersuites, then the visibility techniques that have been used in the past are thwarted.

Russ