Re: [TLS] ETSI releases standards for enterprise security and data centre management

Tony Arcieri <> Thu, 06 December 2018 23:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 419DB130E5A for <>; Thu, 6 Dec 2018 15:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aMgSO08VwU5I for <>; Thu, 6 Dec 2018 15:29:25 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47371131214 for <>; Thu, 6 Dec 2018 15:29:25 -0800 (PST)
Received: by with SMTP id w13so1942345oiw.9 for <>; Thu, 06 Dec 2018 15:29:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+MQ6ita8ngRgh2qKX4SgoNx7qcq81U4xfs/uOGgrCBg=; b=DN0av/3K+FtPr9AyU0TBWqE5euR8BMLYAlcT9FUFbTmO6KKkAnQueDC+aIchoIxjpF HrgmfhfHOK9P7GB5whn5Hud0jh570UmlQlGemRL6hnhyJhfxmv2V7bK1rZrN0CMvg52B liIhR4zw8QanakZpEc59odJVYAqZlabdJQ80z68HhV7BlMVBSNy6ZZjwRDMxjPgCbfyv gph4irD9ExvtqkI+WTP3ckiFB2gIVH5tkUqzbTr05lxig/mXg+Zx++od535BfyuKfaFl 2gIQ7AmuujMZR9kpf+y7RD/xIxF3IIhJFYWOQ8Oir+CVko7vQJH10olP9RF5CM6t1i6X FMOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+MQ6ita8ngRgh2qKX4SgoNx7qcq81U4xfs/uOGgrCBg=; b=LCV2iXbbfOfBJAZt78Eh1yL3m50fBdhqxajTMBxlDoNxpINW029FXoMj4lix4YOBBh Ba7bPtArMwt5/RfLWakJYRhja1TgLKcbB6VV/89Q2suyuBOIFBL7Mohkimg/BoBgFnkH +baYb7yBlO1kQppXdjkYym1FlQSnYZtTB15GZBov/OUjmPJpgBoZDSIDC9SiNRaz3rUK Fm3ocWGmFiFUUKe6P28GUcfIeXH3bVvCS1/3t9bYKsnWHmzEEg0pKUkSVwgUtHczl5iU s0H2OlMOB9JXpOhcQvR8fQGRD8uJcJXrgELCGRjop7J6w7xkYKvPB6FdMIwKtpdoityV 9O5Q==
X-Gm-Message-State: AA+aEWZd7xTWC2neJCzPdwYrIgMKjBAXu7EPeqGgd/s8+iOtBRhJdvc9 Y1q0DyYz6i7Yk68I5LHS+M/CzRVdAxAumOkzj/qz53FF
X-Google-Smtp-Source: AFSGD/U999GSJNn8QSwhcboDfVYwSRcSK4LEt+kFVTEfWG1m//EFWN5RFY6LCbRQ1v+Vnw7XjHdRigWMrDwoqDGjzm4=
X-Received: by 2002:aca:ba02:: with SMTP id k2mr19830242oif.177.1544138964563; Thu, 06 Dec 2018 15:29:24 -0800 (PST)
MIME-Version: 1.0
References: <> <> <20181202233553.GD15561@localhost> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Tony Arcieri <>
Date: Thu, 6 Dec 2018 15:29:13 -0800
Message-ID: <>
To: Daniel Kahn Gillmor <>
Cc: Andrei Popov <>, "<>" <>
Content-Type: multipart/alternative; boundary="000000000000777d41057c62de2c"
Archived-At: <>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Dec 2018 23:29:30 -0000

On Thu, Dec 6, 2018 at 12:33 PM Daniel Kahn Gillmor <>;

> So it's conceivable that truly malicious servers would do this, of
> course, but they might also just publish the master secret on twitter
> too, and the client wouldn't know how to detect that inband either.  But
> for the misbehavior that we *can* detect in-band, a responsible client
> should be aware of it and avoid it, right?

If nothing else, implementations which reuse ephemeral keys for long
periods of time are buggy and contain a vulnerability which violates the
security assumptions of the protocol.

I think it's reasonable for clients to detect and reject this behavior, as
it's an indicator TLS has been deployed in an insecure way and therefore
the connection should be aborted. I think this could detect a wide range of
"real world" TLS implementation failures which have come up in the past,
including bugs in random number generation and bugs in the code in TLS
stacks responsible for rotating ephemeral keys.

Tony Arcieri