Re: [TLS] Industry Concerns about TLS 1.3
Judson Wilson <wilson.judson@gmail.com> Tue, 27 September 2016 08:33 UTC
Return-Path: <wilson.judson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 043FF12B09A for <tls@ietfa.amsl.com>; Tue, 27 Sep 2016 01:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9zwt-xGfvIu for <tls@ietfa.amsl.com>; Tue, 27 Sep 2016 01:33:08 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 455A512B098 for <tls@ietf.org>; Tue, 27 Sep 2016 01:33:08 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id g62so14398843lfe.3 for <tls@ietf.org>; Tue, 27 Sep 2016 01:33:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=c/Nao4ZeWvumjWzCsYdE8+BWMLGd6w2CIya1O4zOqyA=; b=DG6t1nFsC5vQnCSiANDBC9a4urTkNk4bWGfRuz13NhUETIjkg88kgntCnkTMw6j0mC Keh19Rr989juG32dmf4KetVTK0FnMzXnkSL4eiOcU8x6GkaKQUvt78Ujz5P/0LrQZyYe Mr6GXoh9pxB8/BoD9fvFfXRZdO5g5w0eHFacd+KajhOWdWKGMRlNL/DyTgAAB6kcPIe8 uuE8fts2/ccNQvDXTJomT/Ou104fX/sz0W+ykX7ZRyXXUV64rVShk62jY0/wytyT3uGu ytOAMMzx0TofpB6YiXNAt3BINeQaqHXj4dEbz4iPsMaF+YTAo8C5uxLjXw3+uRT4/bjz X5yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=c/Nao4ZeWvumjWzCsYdE8+BWMLGd6w2CIya1O4zOqyA=; b=QCRKB+AE+MAqtrJXdta1eZrWAN1f9o/6aRtP1ylzeETG/dLQTAJR8Dd2xFqi1VM1qx K/rM7xguvbVIDZIDuimGBicPJwv2d81ho7XbZb0qau0jiqDK6RA9ZfYUjPQgZg3f/FNW 9hLyiEqYy61sHT7hEFQv8xZFFaX3IUeb3TRoxkFInNIr8ohVqU6GBzo1Rlys8QytEoEi ey6MFuZjFTVV9jaDOJzBKgXz3W9jmPvKmsWePSy6uRCFIsBz5yQhzT+TwEJWUh9W+YJB PmtjoXbvCvORh/77dXHi64uvl46xbOSxw7Ycb3oo2nIzuJM9JYFBVFarJ1bGD5zpF5Yz qxLA==
X-Gm-Message-State: AA6/9RmJhKwF8VlTtLcz28Jak9v4kVIM+hjKt2+vVcZiHgrp/BXn/c6K/Ff108mFk/EOHGHpE9gIZWe5g9eY2w==
X-Received: by 10.28.173.144 with SMTP id w138mr1559778wme.12.1474965186180; Tue, 27 Sep 2016 01:33:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.160.197 with HTTP; Tue, 27 Sep 2016 01:33:05 -0700 (PDT)
In-Reply-To: <11BA66BB-3B08-4170-8F84-A06E1B4214AC@dukhovni.org>
References: <DM5PR11MB14191AABED7E43F904133787F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <r470Ps-10116i-4C64C69C85D443BF91A20D2FDB8F48E9@Williams-MacBook-Pro.local> <DM5PR11MB1419320109EC18605B1D2072F4CD0@DM5PR11MB1419.namprd11.prod.outlook.com> <BD40CD6E-568F-40A3-838F-C4AC9C9AF9C8@dukhovni.org> <CABcZeBNKzr7tmYPz2BBt=cSvLnhniUosSbHZCU8qS42bXoO=_g@mail.gmail.com> <11BA66BB-3B08-4170-8F84-A06E1B4214AC@dukhovni.org>
From: Judson Wilson <wilson.judson@gmail.com>
Date: Tue, 27 Sep 2016 01:33:05 -0700
Message-ID: <CAB=4g8KqrO5EN20rawExHoM3qw9S8se8vQJupK0_A_8o8Dytiw@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11444a28fa7c9d053d79173d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rOmMD5n55zBgVnHzEkI0UA0xtec>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 08:33:11 -0000
> > Yes, I know that changed. It was an example of something that works with > TLS 1.2 even when PFS is used. With TLS 1.3 server or client > implementations > can find other ways to retain long-term records of session keys. The > capability > to do that is not a requisite or desirable protocol feature. Different > user > communities will have different needs, and the best solution is to provide > security by default, and cede control of the result to the endpoints. I don't believe that storing this information on the endpoints is a great idea, simply because the monitoring equipment will have a difficult time ensuring that the information exists when it is needed. It also increases the number of sites that are risks to compromising past data. I think this challenge is best solved by putting the information on the wire in some way, possibly as a special industry-specific extension (used only by those who are bent on shooting themselves in the foot). The benefit being that if the TLS channel is alive, the session information is available to the monitor. Just as a strawman, the client could transmit session info in special records, encrypted by a public key, and the monitoring equipment could scoop these up. For compatibility with servers outside the network, a middlebox could somehow filter out these records. It sounds like the need is large enough that such an effort is feasible, and it would be good to keep normal TLS 1.3 unambiguously forward secure. (There IS still the question of how to make sure that the extension is not enabled in endpoints it shouldn't be.) On Mon, Sep 26, 2016 at 5:20 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > On Sep 26, 2016, at 7:21 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > There are other ways to accomplish this. For example, the server might > > use session ticket keys that are stored centrally encrypted under a > > suitable escrow key. If clients always enable session tickets, then > > every handshake will result in the server returning a session ticket, > > in which case the session can be later decrypted if the session ticket > > keys are available. > > > > This actually doesn't work in TLS 1.3 because the resumption master > secret > > is not sufficient to decrypt the connection in which it was established. > > Yes, I know that changed. It was an example of something that works with > TLS 1.2 even when PFS is used. With TLS 1.3 server or client > implementations > can find other ways to retain long-term records of session keys. The > capability > to do that is not a requisite or desirable protocol feature. Different > user > communities will have different needs, and the best solution is to provide > security by default, and cede control of the result to the endpoints. > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Yuhong Bao
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Paterson, Kenny
- Re: [TLS] Industry Concerns about TLS 1.3 Kyle Rose
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Dave Garrett
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 Yuhong Bao
- Re: [TLS] Industry Concerns about TLS 1.3 Andrei Popov
- Re: [TLS] Industry Concerns about TLS 1.3 Xiaoyin Liu
- Re: [TLS] Industry Concerns about TLS 1.3 Hugo Krawczyk
- Re: [TLS] Industry Concerns about TLS 1.3 Colm MacCárthaigh
- Re: [TLS] Industry Concerns about TLS 1.3 Hugo Krawczyk
- Re: [TLS] Industry Concerns about TLS 1.3 Ryan Carboni
- Re: [TLS] Industry Concerns about TLS 1.3 Colm MacCárthaigh
- Re: [TLS] Industry Concerns about TLS 1.3 Geoffrey Keating
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Thijs van Dijk
- Re: [TLS] Industry Concerns about TLS 1.3 Stephen Farrell
- [TLS] debugging tools [was: Industry Concerns abo… Nikos Mavrogiannopoulos
- Re: [TLS] debugging tools [was: Industry Concerns… Stephen Farrell
- Re: [TLS] debugging tools [was: Industry Concerns… Hubert Kario
- Re: [TLS] Industry Concerns about TLS 1.3 nalini.elkins
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Dan Brown
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 nalini.elkins
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Yaron Sheffer
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Ilari Liusvaara
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Xiaoyin Liu
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Stephen Farrell
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Adam Caudill
- Re: [TLS] Industry Concerns about TLS 1.3 Peter Bowen
- Re: [TLS] Industry Concerns about TLS 1.3 Bill Frantz
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Pawel Jakub Dawidek
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Ilari Liusvaara
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Brian Sniffen
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Hovav Shacham
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Pascal Urien
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Xiaoyin Liu
- Re: [TLS] Industry Concerns about TLS 1.3 Andrei Popov
- Re: [TLS] Industry Concerns about TLS 1.3 Geoffrey Keating
- Re: [TLS] Industry Concerns about TLS 1.3 Viktor Dukhovni
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Viktor Dukhovni
- Re: [TLS] Industry Concerns about TLS 1.3 Judson Wilson
- Re: [TLS] Industry Concerns about TLS 1.3 Peter Gutmann
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Seth David Schoen
- Re: [TLS] Industry Concerns about TLS 1.3 Ilari Liusvaara
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Michał Staruch
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Ronald del Rosario
- Re: [TLS] Industry Concerns about TLS 1.3 Seth David Schoen
- Re: [TLS] Industry Concerns about TLS 1.3 Stephen Farrell
- Re: [TLS] Industry Concerns about TLS 1.3 Hannes Tschofenig
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Joachim Strömbergson
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Dan Brown
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 Dan Brown
- Re: [TLS] Industry Concerns about TLS 1.3 Bill Frantz
- Re: [TLS] Industry Concerns about TLS 1.3 Melinda Shore
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Melinda Shore
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Bill Frantz
- Re: [TLS] Industry Concerns about TLS 1.3 Ryan Carboni
- Re: [TLS] Industry Concerns about TLS 1.3 Hannes Tschofenig
- Re: [TLS] Industry Concerns about TLS 1.3 Hubert Kario
- Re: [TLS] Industry Concerns about TLS 1.3 Peter Gutmann
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] debugging tools [was: Industry Concerns… Florian Weimer
- Re: [TLS] Industry Concerns about TLS 1.3 Florian Weimer
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Sean Turner
- Re: [TLS] Industry Concerns about TLS 1.3 Ryan Carboni