Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

"David A. Cooper" <david.cooper@nist.gov> Wed, 25 October 2017 15:18 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A68D13F3F1 for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 08:18:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5D9R7rPv2dll for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 08:18:16 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E830D13F3E3 for <tls@ietf.org>; Wed, 25 Oct 2017 08:18:14 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.361.1; Wed, 25 Oct 2017 11:18:05 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.361.1; Wed, 25 Oct 2017 11:18:13 -0400
Received: from [129.6.105.183] (cooper-optiplex-9010.campus.nist.gov [129.6.105.183]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v9PFI2wE014013; Wed, 25 Oct 2017 11:18:03 -0400
To: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <cde0e322-797c-56e8-8c8d-655248ed7974@nist.gov> <FB95CAC8-C967-4724-90FB-B7E609DADF45@akamai.com> <8A5E441B-90B7-4DF4-BD45-7A33C165691B@gmail.com> <3BA34D7B-BB04-4A1F-B18A-B0AC25402C4B@gmail.com> <0f9073f5-271b-a741-1a1e-f20ebc506d61@nist.gov> <9E26AFA9-2E72-4E8C-B304-553A2C851DC4@gmail.com> <2d45c53b-cef3-7e86-3d6f-3d486b1342b8@nist.gov> <74265928-8252-4CA1-B6A4-45296F74637B@akamai.com> <5fd2adb6-ed9c-2368-34de-db0597727e68@nist.gov> <2419b509-c1a5-d867-92c9-f4713804af91@cs.tcd.ie> <003ff6b5-1e1b-17cf-8b45-3bdd8562b902@nist.gov> <49EFAAD0-8457-4775-AE21-1D270872CD56@akamai.com> <f741b067-e7af-5231-4bb1-a0c2d151e6bf@nist.gov> <E775B188-59A0-4D87-A70F-638A2AD4C307@akamai.com>
From: "David A. Cooper" <david.cooper@nist.gov>
Message-ID: <4f1b6a8d-688b-a286-6d0e-46f7f6a3cdd6@nist.gov>
Date: Wed, 25 Oct 2017 11:18:02 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <E775B188-59A0-4D87-A70F-638A2AD4C307@akamai.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mLNE5wurAUo1R-FSfLuiCT2CL0c>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 15:18:18 -0000

I've already responded to this! Why are you wasting everyone's time by 
asking the same questions over and over, even though I've already 
clearly answered them?

An airplane/wifi provider might say "download our free browser," but it 
won't rely on draft-rhrd-tls-tls13-visibility to snoop on its customers. 
If the airplane/wifi provider controls the software on its customers' 
computers, it doesn't need the cooperation of the servers that the 
customers are connecting to in order to snoop, so it wouldn't go through 
the effort of trying to get that cooperation. And, if the airplane/wifi 
provider has the cooperation of the servers that the customers are 
connecting to it doesn't need to convince its customers to download any 
software or in any other way get the customers to cooperate in allowing 
the snooping, so it won't bother.. If you believe otherwise, then you 
are the one who is being very naïve.

I can't guarantee that enterprise visibility will stop at the enterprise 
firewall. My argument is simply that use of the protocol in this draft 
will stop at the enterprise firewall since outside the firewall, when 
communicating with clients outside of the enterprise's control, the 
enterprises that want to enable "visibility" into such traffic will use 
other means that don't require the the cooperation or knowledge of the 
clients, since those other means would be easier and more effective. You 
have done nothing to suggest otherwise.

On 10/25/2017 10:56 AM, Salz, Rich wrote:
>>     This question is based on your that belief that this protocol will "escape" onto the public Internet
> Yes.  Are you saying that you don’t believe that the enterprise visibility will stop at their firewall?  That they will allow ‘stock’ TLS 1.3 to work connecting to their sites?  That the airplane/wifi provider won’t say ‘download our free browser’?
>
> I think you’re being very naïve to think otherwise.
>
>