Re: [TLS] OpSec WGLC for draft-ietf-opsec-ns-impact

Nick Lamb <njl@tlrmx.org> Thu, 29 October 2020 21:11 UTC

Return-Path: <njl@tlrmx.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF7B33A0147; Thu, 29 Oct 2020 14:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tlrmx.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yry8oMTEDIep; Thu, 29 Oct 2020 14:11:21 -0700 (PDT)
Received: from dormouse.elm.relay.mailchannels.net (dormouse.elm.relay.mailchannels.net [23.83.212.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24C23A0115; Thu, 29 Oct 2020 14:11:19 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 63FF1102D83; Thu, 29 Oct 2020 21:11:10 +0000 (UTC)
Received: from pdx1-sub0-mail-a61.g.dreamhost.com (100-100-138-6.trex.outbound.svc.cluster.local [100.100.138.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BD452102AE8; Thu, 29 Oct 2020 21:11:09 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from pdx1-sub0-mail-a61.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.10); Thu, 29 Oct 2020 21:11:10 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|njl@tlrmx.org
X-MailChannels-Auth-Id: dreamhost
X-Fumbling-Interest: 037152f3679ac0eb_1604005870013_2728885578
X-MC-Loop-Signature: 1604005870013:4041676980
X-MC-Ingress-Time: 1604005870012
Received: from pdx1-sub0-mail-a61.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a61.g.dreamhost.com (Postfix) with ESMTP id 7A83E7E0B5; Thu, 29 Oct 2020 14:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=tlrmx.org; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=tlrmx.org; bh=9/ZRqnT lUXUfcC9iLF17+pfB5bs=; b=D24fPvWxTGXo90daGko6Op+qnLnvTa1NyApKkAW thaQulPjxKhqtg4PWwkBAzY0pqzzUBy3PnVM+CJgHTzhMi0w7d6XecLw4zF35g3B 00lGd557l1OPJRf85KMK4dFahl0wu+y8XLxuH0hzgAkzXe1ASCaSBLFFX79R2Jn3 uVA8=
Received: from totoro.tlrmx.org (124.89.2.81.in-addr.arpa [81.2.89.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: njl@tlrmx.org) by pdx1-sub0-mail-a61.g.dreamhost.com (Postfix) with ESMTPSA id 3E8127E0B7; Thu, 29 Oct 2020 14:11:07 -0700 (PDT)
Date: Thu, 29 Oct 2020 21:11:03 +0000
X-DH-BACKEND: pdx1-sub0-mail-a61
From: Nick Lamb <njl@tlrmx.org>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Cc: "opsec@ietf.org" <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20201029211103.715ba80c@totoro.tlrmx.org>
In-Reply-To: <281772AB-0042-494C-B5C8-38CE21E8BC42@cisco.com>
References: <20200817163938.07580cee@totoro.tlrmx.org> <2B1FF3B4-949A-4A29-ABDC-B2B91878B947@cisco.com> <20200819234314.29c3bbdc@totoro.tlrmx.org> <387460EC-D00A-4D12-9E12-713E9E0049B1@nerd.ninja> <20200821003948.04bc5308@totoro.tlrmx.org> <281772AB-0042-494C-B5C8-38CE21E8BC42@cisco.com>
X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tDnpRfslo7FIamRKzJRxOSw6n-g>
Subject: Re: [TLS] OpSec WGLC for draft-ietf-opsec-ns-impact
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 21:11:23 -0000

Hi Nancy

On Mon, 26 Oct 2020 02:55:52 +0000
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> wrote:

> [NCW] The specific conditions are more deployment and vendor specific
> and proprietary so it'd be difficult to enumerate (and enumerate them
> all)...as well as which we believe is out of scope for the document.
> I did add a paragraph to state that as well as we (the authors) are
> not proponents for these techniques but as it had been asked to how
> the deployments 'inspect' we thought it important to document the
> most common known practices.  Please look over the updates and see if
> that clarifies intent.

I see. I focused on the modifications to the document rather than
re-reading the document. Thanks for correcting the typographical error
and I acknowledge that the two new paragraphs reflect the intent
you've described.

> [NCW] Right, our intent was not to prescribe what should or should
> not be done, but rather educate as to what is being done in practice
> today.

Unfortunately words like "effective" and "capability" give the
impression that instead of describing practices which don't work
neutrally so as to educate about what is done, this documents
techniques that actually worked. My previous emails explained some
problems with that back in August.

Your co-author Roelof has argued that they can work under some specific
circumstances, but this revision does not explain what those
circumstances would be in the document itself and my impression from
your reply is that you believe doing so would be "out of scope".

Nick.