Re: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3
John Mattsson <john.mattsson@ericsson.com> Wed, 17 May 2023 17:51 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 509ECC151086; Wed, 17 May 2023 10:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4EBvAm8I23vW; Wed, 17 May 2023 10:51:30 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2060d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::60d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9964C15155A; Wed, 17 May 2023 10:49:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hxQC+WZKuq+Ol/qcIOIGcUk0P3WOH5E27TNRYUoZZ5MU1gaVxiF/dVCeB3kTQhgreUwVvfTS7CwCi0ixXGWRq5c8ubZliG4Y99KxJoB8XM8zE/tW/Q8FRmCZZue+CPLyGSFbcum2mkh+ICfR2DHla3cZ6G5FqW8DwXgOfN3IzcmfsL+SXYvBRLdib3DylzjnwjoXFPCX4AIC8bXtntDmYRSrQStEMszKRKtl5HYyT1nPfKuBA8ZVjlUc71D7sO8O1KtWyikKZtCOXnInMlfa1LliL/oioonksuCvpLYa94nOAH63bpYrlzSF0wSJdCIhrBoVZ4nnoLb5b2PPhdNXcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VeKtcB5kHUTEGpgyIc8u4o8lmzbKtuAFZ7utFZrvJm8=; b=DqTJiZ5q3kZ0X1yVQ6yXkz+bqRQ53CXVdy/ZuHyQ4RlHfAhuY+mFO4nHHdAA8wTIbokgGDsSFTEdDxVYdOwZr6ZndmLA+kVh6h1NnwqHI6inwTIVxqURNeUhiJcTZPN9dU6w3gJgVC7vBkVKpxfJZDDdkiWKA3UsrNK0kNuItI6t9JUU6b3iPbPpb15B38jh8ZYr/sLFAOUHwWdUT2rFT2A+ozVhRRlRPaeAtBo15ewq9xG/o9hPJ4Q3bsXtglf2Lr34QK6NlSwZ+eI4RBIIJtgs0p1A612qlxdrtoskCIarlmtb6F8NUWC4TCMNZpS7sWJJDGxSQv/gOnommfbDAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VeKtcB5kHUTEGpgyIc8u4o8lmzbKtuAFZ7utFZrvJm8=; b=NH/BnCqEcrEzyiveyERN/ax9nh4jj7gbZbUtwcScXyCZT5O/rxjielIwTG+gNlJrxbYQBGDd68aZ6r2AZLevmIv+YMWE6HD9CVDJlwWvs49xDDr9+xpPoRf81eb7A6bzafXFsWDgR1AXwm49I2W1KZc//Rl/EXSwnOMU+KuXrec=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AM7PR07MB6705.eurprd07.prod.outlook.com (2603:10a6:20b:1a2::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.17; Wed, 17 May 2023 17:49:55 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%7]) with mapi id 15.20.6387.034; Wed, 17 May 2023 17:49:55 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls@ietf.org" <tls@ietf.org>, "sec-ads@ietf.org" <sec-ads@ietf.org>
Thread-Topic: NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3
Thread-Index: AQHZh+gkgLa7BUkUwE2qbU9oMQ3IhK9c6kO8gAHTr5A=
Date: Wed, 17 May 2023 17:49:55 +0000
Message-ID: <GVXPR07MB9678E0FB9EED1410D10EBAF7897E9@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <497567B2-AB42-436E-9BE5-95CCA121E62A@akamai.com> <GVXPR07MB9678B1AEF81759EFE014B6D689799@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678B1AEF81759EFE014B6D689799@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AM7PR07MB6705:EE_
x-ms-office365-filtering-correlation-id: 66d9670b-0ab9-4238-c43c-08db56ff1fab
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: D8zT/du0hPtUjictlMacV6OtTM8cchbgxnY9Ayz4zQBPij+hzsidabFzZeywXWlEYyP0KmDTaj3XhpSJe6FQGPptrBrwZMBe8EXQP6dCr3kc+E1M5VbWr3W2k8IiTyhVtUDsz6vLHv3fKFBn95BKvo3MiznH55/KvNP3GVxTe1RrKiAziagluuBGrGH2GOA4nB1DnARq5MJv/fFttDRYY2EvQFJnzBcBTiTMsLhjVASJ1S6Iqf/dseqg6HxXouA7WDAmkx3GjHGD430OXCgDZpcAU11K27pcHvu9uHhviReK0tV48zdFGXkIq+O2i8zgo/9FjQH6nDKEGuMDjyfxtvZGxz6eB0T9VwRFVC1DOY0PM95UPLRme/0JkkWg6siF2ewciennCTIpIC67hi+WlDMoiWIkMVrju9AvrdBSwlAOd64vMrOfdBGuyMcwijlxrffcxjHmjSRff78nywBEdd9g0sITvYHFKM6xPkyFJXy2kcZ+o08ML9Os8kixCXFfy0LreU5a99N6pkEy3qbGuIZ7nZjKjZZg0VFeqkH2H79p9oLdP+1P1CtOuhhIBzY/P0Pm2d70ALOprUlHfDNhEfbdxuSZrcguJijuHzKh6epxDG8fQLL8R8Zfe+zkQC5ApbTVB2W67fLv1spq39epKNuAbhk5BPKbNaHlVmzHxM7byC5mx35MBUqwSZKiN38Y
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(346002)(366004)(136003)(376002)(396003)(451199021)(5660300002)(71200400001)(41300700001)(2906002)(83380400001)(122000001)(86362001)(38100700002)(166002)(82960400001)(38070700005)(33656002)(26005)(186003)(6506007)(44832011)(52536014)(55016003)(8676002)(8936002)(53546011)(9686003)(450100002)(66556008)(66476007)(66446008)(76116006)(66946007)(64756008)(478600001)(966005)(7696005)(316002)(110136005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lI/HKPCBjmvR0nIhXbnhjzh6SWxtD5+1f/JywI9OMSNLW1/dNOVY60rFLTxBgvlw0sAf6I5FbQXXvH20ZCRWjTQ3cpo6ntBN8+JpJr8C+hjjjtufGB+A/5L15yiTwgvtNwS+C4+zo890pKJr5e+w2tbejDXXDJGYW4tO+OKQSyvPyhipgjhJaQAl2mi0AtYvEbngbK8uyqB8G30tYEUvuIOY7wrYwaAHv2cLV1nQ4lYXzFOw1Pe21l2UvTobl+jFe2cDBTU2juHjffawwZblArCJyOPhmTyQiTkd4pupjPICJBiQqUF6Ryi1QnT7BGlYLBfeUw9iiKN8/vIFNjUh2kmdP66MZHdS+TFzVokYlL4N+bjhhsSl6zR+9YZyxzPjFbvD58bfIPLmE7j5qUVq9/Vu0Ini6ky5Na5o8A03HYuFm1oQZI2mqH9xH+7wvl/EeLl7wPqU6oEaD0ndFSBABDIGmTwIYZl2MSQXtBohVxzPZZBsjKBSurT2jf1yy23QOWyZrRTd+0WBB1bsidFNBV7VjMzEJdO0g7QDl9fRty72EyUne8j0lqZHycV9t8Ew2AS12O4u23ndo3aAEXIVq9rl7rMAxtyPrgDA9o2nHPO/Kopp6ExCXr7IVOTSbonNhisH/iDo12JJeOBQTfgyhZvvuqusemu/dB+A0BRDn/PwiyLEFr9uSq3dOiY3AqBmkmZfxrxGEOVyQ3dCFr6Uo47DW1fairpSXUADIu3TQx0e+ncLt/16EfoJ92CG5XzTsZ6iV+DfwYRPnzvrnn/rLkqE2bHmDNgH7zsKm7nC4PENjDJhuLatClZdjsZHhiSnhaxsqafnN8W1IlXjww9fPAW5sNdzGuzlRZeWdsDEKDl3v5B9Enxo9yM90YGSVZYc509EjUgV0V9dh1z9sVXqXcNYQceRCAPJ+dFmZS0weGyA7nfbcRnqZ2eYllaCdbl02PIW3vwSUZwq+dIix9i8bco4FcODcdPKP9MNUY93xSWcRJg1iyhj6P7rMF2eMkgVWwQChXt10W4/S7XZZgmHNlXs5IlAfbz7jy7pbQMa76Bhqc6WyRAOaZahm1AnS41tfadkLfs3Bt/O9OKAmTrVy60QC7qTKI+7g7JeNy4n5CJYuYW1jLv5lQgGSyi9XpNQi0yyRQHDquQxmfWmCRYb3tIobw6Ka+JDts9dqeGRpzdkfP67gyll7vELiur2QlSEXQYVlRgLO7m8PJ/NIICoxZoyn4h7zIOjLV3wYN4wmoVy24dtcfy3/1k11rczXIu8PNmlaEEhJv3geIGUeQXQMVzx2FoI7XYH++XiULRxf3vnRI/ymGEdJEnznKBipekcPoE900fJ6xw6mEdTQI/1tQOOlaKqwoGaNZJSRBBVXzmF2yba85XjMzDTD9duXQrq6jOH6Z3V4Cxfn2v9FkV+mNJ1iuxBK7nGOCtzwLvZgIJHy3Y56PJjqkMlrPrtNWit6C6L4rKshaDILICGmsySD1N272sXBK85nvhzHkYYgWoK5a8InZGmiuafYNGMG2SvM88fQv7JBoiP7LLZYFh5b7yCmubqhJxrf6wmZFkwh/2eragSZunY23XDb9L/kBQ+rVcGloYjIDqUdbwFAwIaRCndelu2+ghVffsaoEiSp1I=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678E0FB9EED1410D10EBAF7897E9GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 66d9670b-0ab9-4238-c43c-08db56ff1fab
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2023 17:49:55.0737 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4U4MM+rJWwawXUQSlIN9G4OdyP6bxQffZFM4DsxeEJa86rLEsadqmEgzCNBp9C/TVm2JbJaFrH4BDc876BH9Vr1r6uTmRmHHgcjSrNpCcqM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6705
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tKJbBUAdzDiRn327m8tLFvHA7w8>
Subject: Re: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2023 17:51:34 -0000
Hi, Should IETF / SEC / TLS send an LS to NIST as was done with ESTI-TC-CYBER? https://datatracker.ietf.org/liaison/1538/ https://datatracker.ietf.org/liaison/1616/ A lot of the comments in the LSs to ESTI-TC-CYBER also apply to the NIST work. "Our foremost concern is the use of the name Transport Layer Security (TLS), a well-known protocol which has been developed by the IETF for over twenty years. The IETF maintains copyright and change control for TLS specifications. Having a separate, different, protocol named "TLS" but developed by another SDO is a recipe for confusion among developers, implementers, and users alike." "The IETF remains strongly committed to fostering end-to-end security, and the properties of TLS enable that for key IETF protocols. We believe the ETSI work to proceed from a different design goal: to enable third-party monitoring. Because applications using TLS expect its end-to-end security properties, the re-use of the name will create misunderstandings. We therefore formally request that ETSI alter the name of its work enabling third-party monitoring so that implementors, users, and governments are not confused about its properties or the properties of TLS." "the main area of divergence from TLS 1.3 to this MSP profile is the replacement of the server’s "ephemeral" DH key with a "static" DH key, which suffices to violate the design and operational assumptions of TLS 1.3 and render this MSP profile as a qualitatively different protocol that should be named accordingly." My feeling is that the IETF community is much more against reuse of key shares now than in 2017. At IETF 116 there seemed to be consensus to discourage psk_ke. RFC8446bis and RFC9325 now have strong normative text discouraging key share reuse. I personally think it is problematic and not very constructive if IETF states that all visibility solutions are bad. It would in my view be more pragmatic to state that some technical solutions are better than other. Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> Date: Tuesday, 16 May 2023 at 15:59 To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>, tls@ietf.org <tls@ietf.org> Subject: Re: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3 Hi Rich, Good that you inform the TLS WG. I was planning to do that but forgot. Ericsson is likely to provide the comments in the link below. We think it is good that NIST is doing this project, visibility is a problem, but our position is that reuse of key shares is not an acceptable solution. https://github.com/emanjon/Publications/blob/main/Ericsson%20comments%20on%20NIST%20SP%201800-37A%20May%2013.pdf<https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-7d2441a08db5bc25&q=1&e=aaabd95a-d6a9-4af8-9292-dd48d0908491&u=https%3A%2F%2Fgithub.com%2Femanjon%2FPublications%2Fblob%2Fmain%2FEricsson%2520comments%2520on%2520NIST%2520SP%25201800-37A%2520May%252013.pdf> Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> Date: Tuesday, 16 May 2023 at 13:19 To: tls@ietf.org <tls@ietf.org> Subject: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3 Public comment period open until June 26. Quoting from https://content.govdelivery.com/accounts/USNIST/bulletins/359534b This project builds on our earlier work, “https://www.nccoe.nist.gov/tls-server-certificate-management,” which showed organizations how to centrally monitor and manage their TLS certificates. We are now focusing on protocol enhancements such as TLS 1.3 which have helped organizations boost performance and address security concerns. These same enhancements have also reduced enterprise visibility into internal traffic flows within the organizations' environment. This project aims to change that--and has two main objectives: • Provide security and IT professionals practical approaches and tools to help them gain more visibility into the information being exchanged on their organizations’ servers. • Help users fully adopt TLS 1.3 in their private data centers and in hybrid cloud environments—while maintaining regulatory compliance, security, and operations. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] NIST Draft comments period: Addressing Visi… Salz, Rich
- Re: [TLS] NIST Draft comments period: Addressing … John Mattsson
- Re: [TLS] NIST Draft comments period: Addressing … John Mattsson
- Re: [TLS] NIST Draft comments period: Addressing … Stephen Farrell
- Re: [TLS] NIST Draft comments period: Addressing … John Mattsson
- Re: [TLS] NIST Draft comments period: Addressing … Stephen Farrell