Re: [TLS] chairs - please shutdown wiretapping discussion...

"Ackermann, Michael" <MAckermann@bcbsm.com> Tue, 11 July 2017 15:00 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0F612F3D5 for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 08:00:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SN-IjPK_Igxa for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 08:00:27 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A836127B57 for <tls@ietf.org>; Tue, 11 Jul 2017 08:00:26 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 19211C24C4 for <tls@ietf.org>; Tue, 11 Jul 2017 10:00:26 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [12.107.172.81]) by mx.z120.zixworks.com (Proprietary) with SMTP id 2A9F2C246B; Tue, 11 Jul 2017 10:00:25 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DC627FE063; Tue, 11 Jul 2017 11:00:24 -0400 (EDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A14AAFE069; Tue, 11 Jul 2017 11:00:24 -0400 (EDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (unknown [216.32.180.183]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Tue, 11 Jul 2017 11:00:24 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5Vhhe7FcXdqCZ/uL4YJIiwNUn9hf7HYxRdKwhZtZg2s=; b=5GskbzDc4EFP/0eo3yCJ2gTnFplWyMwFSskfCZmg9DUa1ek+1BIwEgKSvQPQvJJ/dbblW/WiejQfdIu0wTdzyVNdWt7jnKfoK2Jw3RVDc9YxGcEPeuySZtKINudJyR5fG6/Z/wJo3ALJchlbbqtdtrAqobWyBT+lcnJ7IDPkJ8Q=
Received: from CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) by CY4PR14MB1367.namprd14.prod.outlook.com (10.172.158.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.13; Tue, 11 Jul 2017 15:00:23 +0000
Received: from CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) by CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) with mapi id 15.01.1240.020; Tue, 11 Jul 2017 15:00:23 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Ted Lemon <mellon@fugue.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "Polk, Tim (Fed)" <william.polk@nist.gov>, IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] chairs - please shutdown wiretapping discussion...
Thread-Index: AQHS+YQI7m7fVGNOTUGFuL/08f/fM6JNIUiQgABTlgCAAAqIoIAAEXkAgAAChYCAAAJwgIAA4XWAgAA4+AA=
Date: Tue, 11 Jul 2017 15:00:15 +0000
Deferred-Delivery: Tue, 11 Jul 2017 15:00:00 +0000
Message-ID: <CY4PR14MB136850F84F0A28AEC8C326C1D7AE0@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov> <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <9693fc25-6444-e066-94aa-47094700f188@cs.tcd.ie> <CY4PR14MB1368BA01881DD9495FE86DF0D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <d806a69c-af30-c963-a361-91075332a61b@cs.tcd.ie> <F87D7646-DC53-4EF8-A2D8-D0939A0FB351@vigilsec.com> <b9001044-83d7-805c-2a49-c2780401bbf8@cs.tcd.ie> <C4125902-CA3A-4EA8-989B-8B1CE41598FB@fugue.com>
In-Reply-To: <C4125902-CA3A-4EA8-989B-8B1CE41598FB@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fugue.com; dkim=none (message not signed) header.d=none;fugue.com; dmarc=none action=none header.from=bcbsm.com;
x-originating-ip: [167.242.122.71]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1367; 20:OhSDp7Zg6y1R/zUT2gV5rog9gFw+a2awaNEbkERq6GNHaP+4B2h8T3gbZ4DELxgcNvqdfAmMwI1WYu5OTqtHmFvj8hdeczpS1MLLNi/7jzYM87o1CAFvbMkrnMtjgeEEwUz5KwU2ksVAq804I0zcftj2wH8oqFLmyV4u7b9we6U=
x-ms-office365-filtering-correlation-id: 50426c6e-540e-417c-e9ad-08d4c86d8e77
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR14MB1367;
x-ms-traffictypediagnostic: CY4PR14MB1367:
x-microsoft-antispam-prvs: <CY4PR14MB1367EECB9EFDD28893070069D7AE0@CY4PR14MB1367.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(151999592597050)(32856632585715)(65766998875637)(26388249023172)(236129657087228)(48057245064654)(148574349560750)(21748063052155)(247924648384137);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(2017060910075)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123558100)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1367; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1367;
x-forefront-prvs: 0365C0E14B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39450400003)(39400400002)(39410400002)(377454003)(24454002)(99286003)(6116002)(66066001)(189998001)(2900100001)(561944003)(9686003)(54356999)(76176999)(38730400002)(5660300001)(72206003)(229853002)(6306002)(8936002)(53936002)(8656002)(55016002)(14454004)(8676002)(7736002)(3660700001)(50986999)(236005)(478600001)(54906002)(6246003)(25786009)(790700001)(54896002)(102836003)(81166006)(3846002)(86362001)(2950100002)(6436002)(6666003)(80792005)(33656002)(3280700002)(74316002)(53546010)(7696004)(6506006)(93886004)(77096006)(2906002)(4326008)(19609705001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1367; H:CY4PR14MB1368.namprd14.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB136850F84F0A28AEC8C326C1D7AE0CY4PR14MB1368namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2017 15:00:23.2515 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1367
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: 7ea3f388-15d2-4ab3-b533-b09d71220f04
X-VPM-MSG-ID: 5944cd2f-d85e-40c8-b5e6-b88f1a7d00c1
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mt3JgiQcxSRD99jITwJacgm75B8>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 15:00:31 -0000

I am not certain if I speak for all Enterprise individuals involved in this discourse or not.
But I would like to endorse what Ted is saying.

As much fun as this debate has become (not),  Enterprises originally raised this issue to the TLS-WG,  to engage their considerable expertise, and to help solve what will be a huge business problem,  when TLS 1.3 is implemented.
I believe all of us Enterprise people would prefer to work with the SMEs at TLS-WG, to determine the best possible answer to this very real issue we will all face.     That is why we came to this WG.
The draft proposal is the best solution I have heard.   If there is a better approach, we all need to be open to this, as well as open to perspectives on both sides of this issue.    IMHO we want to work with the TLS-WG, not work around it, in an effort to craft the best possible solution(s),  with ALL related issues addressed.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Ted Lemon
Sent: Tuesday, July 11, 2017 7:02 AM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>;
Cc: Polk, Tim (Fed) <william.polk@nist.gov>;; IETF TLS <tls@ietf.org>;
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 10, 2017, at 5:35 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:
Consider SMTP/TLS. Where one MTA on the path supports this.
Say it's one operated by an anti-spam company for example.
That is clearly not the sender nor recipient.

That meets all 4 points in 2804, right?

I don't buy this, Stephen.   The anti-spam company is not an eavesdropper.

What I don't understand about your approach to this draft is that it seems to me that the draft is obviously describing an exploit in TLS 1.3, for which a mitigation exists: remember keys, and refuse to communicate with an endpoint that presents a key you've seen before.

So rather than opposing the publication of the static keys draft, why not work on mitigating the attack it describes?   This attack exists whether the static keys draft is published or not.



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.