IETF Logo Mail Archive

[TLS] Layered TLS ... was Re: New Version Notification for draft-friel-tls-over-http-00.txt

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 07 November 2017 10:24 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FAA313FD49 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 02:24:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.899
X-Spam-Level:
X-Spam-Status: No, score=-4.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IRtX9l06uZsA for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 02:24:00 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B6BA13FB7A for <tls@ietf.org>; Tue, 7 Nov 2017 02:24:00 -0800 (PST)
Received: from [192.168.91.204] ([80.92.118.86]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M9bYB-1eOQAU0Jah-00D1zd; Tue, 07 Nov 2017 11:23:57 +0100
To: Alex C <immibis@gmail.com>, Richard Barnes <rlb@ipv.sx>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <150939282345.7694.10153977158870845060.idtracker@ietfa.amsl.com> <CAL02cgRS715Vc+4_QNDSNBW8LP1f-Rmp0FW9W_pyHHpAnkX7Sg@mail.gmail.com> <CAMqknA6-+=W8j77xZ80M8Y+bz3V+VLUDOYjgK2vA0=HLHk7k2w@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <a67c6cfa-dc39-3e62-59d7-e251920374a0@gmx.net>
Date: Tue, 07 Nov 2017 11:23:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAMqknA6-+=W8j77xZ80M8Y+bz3V+VLUDOYjgK2vA0=HLHk7k2w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:Iue3iM184M1Tal3ETVfdecz9SQ6U7ZvfIObUi2FSsuv/v12ocw5 pMH1TL1G47Bu1yCTpsacqIfh6xa/pB9EIfGkA0FAvW+QZI5aPKX5QOp3w9VkHZ0Zr2T4X8q DX1cgM98epjwCDDNo9zGIprVt6qeDY0X36a1BNZz5+/iIhLEKyyLN8V+zIjjYcZH0fhjEuH QanNzW0m+YlOMVpl/nV/Q==
X-UI-Out-Filterresults: notjunk:1;V01:K0:foVVMFzv0hQ=:rsXahaKXjCXatHRGTtp/lG vzMgZFL0pjzY3JdXwiNaoPd+U35SO19kFteq+KRF1LCuCaDZoy/x1wr1AwS18qFpupT0ksrKW ZBWq65rKnJUqc1yZKT0MWCX+FHHU777BBMZQAa9iI+IcjhB+X0GPUYxU0IEN7Y4jDnIzfUCKe mfTEUmLLibyEfhCLX2HSS4a1t2lQ/VGLgnD9H+w5t7QlWH8UWBGz62DHTsVcAxIFyvw6uTKGR 1GxixlfqqOQb5rBkOwprYaV/6QPbcPMmEcUXAmDK8YOn5RSQ7DNX8tRnkSDEgL3/bPcl49CB/ vRy1GpAQHloeKLilcFeH61wMvRTbZ7XvO0hZ6/1nDkJGgHo9tg550G3wkNurGV+XSoBtlL/bj i3DlWecYzV3mraFziRi5SwXzuNluKsKJMKb4LOBebeSQaKmPPgOMbxmGK5KvPRoCY6xKPWzMq fRA0tnbZu9C+eyjTczXwxn9gqpXYR0NsSH/7Qy47vbWFYp/LS6pGKJsEHAfSujNkzg0pyTcSI El8E/xByTwKeqJ2+KaRLY3zDOquUAzhtJ+jRZo1L0sjPC8uqmEce9n8MSV/jdAEphWGxfLZBi ayIBkMGHh+kedS8K+2K5jXMHC2ed5Iuo7vmridvtMR9nOcMde1u2kFAv0RNmBx3fUfvxNkKJz w7HRJnoEaUSYKRXm+X1Oc/urkld9SmRpJDHXvWPZ64zHnM2HbidabYqrQGrrh3brMTQOU/lRw RBogbuUd91bC+qxwKinRUNNQBJOkl0YSyIsUc3BEzCuAawnw7tpd9phFobL0rncjKdfxpwobI ogu8skCw9ZD+J2rNv4yWzYnnGYnw3na0xyBnoOJefYMDAN+UKM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ly1L83vS2tcREQNIjcm6YHA4hJM>
Subject: [TLS] Layered TLS ... was Re: New Version Notification for draft-friel-tls-over-http-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 10:24:03 -0000

This is interesting since Mark Baugher and myself have also been working
on the use of TLS at the application layer and we did some
implementation work with mbed TLS (with TLS 1.3) and OpenSSL.

Our work was motivated by the discussions in the IoT groups about
re-inventing the TLS handshake at the application layer.

Our document can be found here:
https://tools.ietf.org/html/draft-tschofenig-layered-tls-00

Ciao
Hannes

On 11/07/2017 10:21 AM, Alex C wrote:
> What exactly is the threat model here?
> 
> Are you trying to hide a connection from a reverse proxy at the server
> end? If so, the server operator should not have deployed a reverse proxy
> in the first place.
> 
> Are you trying to hide from a MITM proxy that supplies its own
> certificate? If so, then what prevents the proxy from doing the same to
> the tunnelled session?
> When MITM proxies learn to do that, will we create another tunnelling
> protocol inside this one?
> 
> This is a cat-and-mouse game with middleboxes (much like the version
> negotiation problem, but in a different way). Keep playing and everyone
> loses.
> 
> On Tue, Oct 31, 2017 at 11:17 AM, Richard Barnes <rlb@ipv.sx
> <mailto:rlb@ipv.sx>> wrote:
> 
>     Hey TLS folks,
> 
>     Owen, Max, and I have been kicking around some ideas for how to make
>     secure connections in environments where HTTPS is subject to MitM /
>     proxying.
> 
>     The below draft lays out a way to tunnel TLS over HTTPS, in hopes of
>     creating a channel you could use when you really need things to be
>     private, even from the local MitM. 
> 
>     Feedback obviously very welcome.  Interested in whether folks think
>     this is a useful area in which to develop an RFC, and any thoughts
>     on how to do this better.
> 
>     Thanks,
>     --Richard
> 
> 
>     On Mon, Oct 30, 2017 at 3:47 PM, <internet-drafts@ietf.org
>     <mailto:internet-drafts@ietf.org>> wrote:
> 
> 
>         A new version of I-D, draft-friel-tls-over-http-00.txt
>         has been successfully submitted by Owen Friel and posted to the
>         IETF repository.
> 
>         Name:           draft-friel-tls-over-http
>         Revision:       00
>         Title:          Application-Layer TLS
>         Document date:  2017-10-30
>         Group:          Individual Submission
>         Pages:          20
>         URL:           
>         https://www.ietf.org/internet-drafts/draft-friel-tls-over-http-00.txt
>         <https://www.ietf.org/internet-drafts/draft-friel-tls-over-http-00.txt>
>         Status:       
>          https://datatracker.ietf.org/doc/draft-friel-tls-over-http/
>         <https://datatracker.ietf.org/doc/draft-friel-tls-over-http/>
>         Htmlized:     
>          https://tools.ietf.org/html/draft-friel-tls-over-http-00
>         <https://tools.ietf.org/html/draft-friel-tls-over-http-00>
>         Htmlized:     
>          https://datatracker.ietf.org/doc/html/draft-friel-tls-over-http-00
>         <https://datatracker.ietf.org/doc/html/draft-friel-tls-over-http-00>
> 
> 
>         Abstract:
>            Many clients need to establish secure connections to application
>            services but face challenges establishing these connections
>         due to
>            the presence of middleboxes that terminate TLS connections
>         from the
>            client and restablish new TLS connections to the service.  This
>            document defines a mechanism for transporting TLS records in HTTP
>            message bodies between clients and services.  This enables
>         clients
>            and services to establish secure connections using TLS at the
>            application layer, and treat any middleboxes that are
>         intercepting
>            traffic at the network layer as untrusted transport.  In
>         short, this
>            mechanism moves the TLS handshake up the OSI stack to the
>         application
>            layer.
> 
> 
> 
> 
>         Please note that it may take a couple of minutes from the time
>         of submission
>         until the htmlized version and diff are available at
>         tools.ietf.org <http://tools.ietf.org>.
> 
>         The IETF Secretariat
> 
> 
> 
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>     <https://www.ietf.org/mailman/listinfo/tls>
> 
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email