Re: [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Eric Rescorla <ekr@rtfm.com> Tue, 28 July 2020 11:13 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818B03A0AFA for <tls@ietfa.amsl.com>; Tue, 28 Jul 2020 04:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Att6cwNDqza for <tls@ietfa.amsl.com>; Tue, 28 Jul 2020 04:13:34 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9440B3A0AF5 for <tls@ietf.org>; Tue, 28 Jul 2020 04:13:34 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id j22so4883486lfm.2 for <tls@ietf.org>; Tue, 28 Jul 2020 04:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t1fw6wTCMCPAeSyhrR2B8tXbk//XHBh3pEDCAjKqso8=; b=rYptd69LRvo7bpPWpGNeNNl9edzmOoonxC5drZPRQh+EO1c2uQKHghx5SbKqRwXZ5t yI0a5JPZpfEjYuTPL+28ut8VN9FDcjaUEKJbhFcPDwSa2mY8QMfNmdylIX8k7NMcixZ2 9bJHigP4CC9q7k+9sYlDlLqBR0/0gCp8n3Q7tEDOMBT2H8JoCcxStLL6g9RNYII3DR4g wvRZkzFRHmTmnUIZbc0/lNUobI/XJX/E9nVHr39EFn2+EtPNSev25JbHuneNk0BMifZM /OCZbiCx7oH2je4u2g2VXThN5fKUk4eezE4qsui+tDl0UEy9nguxmkPC1gZNMTqF8FZr BLcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t1fw6wTCMCPAeSyhrR2B8tXbk//XHBh3pEDCAjKqso8=; b=mWW7K6JwCN2BfKJ3axq/9aPsYu1fXdswZGdRqp35gGzxWshwprgXf6ZDcNoDgJ1HYt Sc9rU1gpEjV3mdF+T0aArUoyyQqCuyWmxl3jkU7FwYDv7Gq2th3Tyn0fPM95nOvslOep iQBvJKElciulTvaFlCK6ZeJK4N8Si3yaVeItvJPlFGtGXjgknFKKl94hwcJRGRRZuzw/ HJ0am196xkoP0sEpLLk9cUq5TcYtrrqahKi61la1VyCgUTWkRqCLLDNxyvc/Y4t2hTI7 lZeoIOjwnTCIZIYsAf67mDy9VpEfGw9JHjTxoGEA7eJuTgTagk1cM32mkkJ6N+fwSaxo V1fw==
X-Gm-Message-State: AOAM533xiQwWNNSD8ylqbMH5ZbMzd8dPXAApJxNaKHpscauUHLhfthif /hZm8fvmUQCQurqFjY4Fbj0oujwKCYv2zyBeM5hYAg==
X-Google-Smtp-Source: ABdhPJyCzd2pYHLa8Y7CjhmfHu+JA9vWIvE1KN+ZW0Gw+V5YjEzLR2TIriNKRvjepzTrKaq9AiQFTOjLWuK4S4Trqpk=
X-Received: by 2002:a19:6715:: with SMTP id b21mr14178714lfc.55.1595934812279; Tue, 28 Jul 2020 04:13:32 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com>
In-Reply-To: <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 28 Jul 2020 04:12:55 -0700
Message-ID: <CABcZeBO5yb90=GQvXP+1SWGzyYRvnMs8FZNymL-CgDfkW1=_Mg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009232e805ab7e87a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pYU0P8mGsatgnxNnw3BWmaROaWE>
Subject: Re: [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 11:13:37 -0000
On Tue, Jul 28, 2020 at 12:26 AM Martin Thomson <mt@lowentropy.net> wrote: > The following text from Section 5.3 is deeply problematic: > > A decryption policy decision MAY be made based on the server > certificate or other trustworthy parameters. To verify possession of > private keys that are associated with a particular server > certificate, the proxy SHOULD complete an out-of-band TLS handshake > with the same TLS server IP address and TCP port as targeted by the > TLS client. > > It is possible that the authors misunderstand how TLS works, but this > check won't work. Not only because TLS 1.3 encrypts information, but > because this is only necessary if the proxy forwards a ClientHello from the > client to the server. In addition, this check is susceptible to trivial forwarding attack in which the server in question forwards the data to the true server. -Ekr
- [TLS] Call For Adoption: draft-wang-opsec-tls-pro… Ron Bonica
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Jen Linkova
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Tobias Mayer (tmayer)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXTERNAL] Re: [OPSEC] Call For Adoptio… Andrei Popov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] [EXTERNAL] Re: Call For Adoptio… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… tom petch
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Paul Brears
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Smyth
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre