Re: [TLS] New Version Notification for draft-friel-tls-over-http-00.txt
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 07 November 2017 15:22 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7E3613FF13 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 07:22:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wo8ZXE3KxUiq for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 07:22:23 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23DC413FFBF for <tls@ietf.org>; Tue, 7 Nov 2017 07:15:06 -0800 (PST)
Received: from [192.168.91.204] ([80.92.118.86]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LhCDT-1ezlrs1c4l-00oZr0; Tue, 07 Nov 2017 16:15:03 +0100
To: Alex C <immibis@gmail.com>, Richard Barnes <rlb@ipv.sx>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <150939282345.7694.10153977158870845060.idtracker@ietfa.amsl.com> <CAL02cgRS715Vc+4_QNDSNBW8LP1f-Rmp0FW9W_pyHHpAnkX7Sg@mail.gmail.com> <CAMqknA6-+=W8j77xZ80M8Y+bz3V+VLUDOYjgK2vA0=HLHk7k2w@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <da4504a1-f868-bf66-1f28-2b7716207d07@gmx.net>
Date: Tue, 07 Nov 2017 16:15:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAMqknA6-+=W8j77xZ80M8Y+bz3V+VLUDOYjgK2vA0=HLHk7k2w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:UQC3Jc8mItn2+jZpXZO+tojfSBdgOM4zRMQEWh6+vLIsUFZA32k ZPbLA9pYoWiF/0NzAi9dQsT6UOkPh4SsJ7/ksAUScHwPcGtc7whU2cKa85S7Jlj3ahqnSJ+ K0KMVWkw1MbzZyIAPhcGkvEbV7+VZZVgCcPZd+MrI/TYMgMEBpdpRYoDPHTqZFkLHi4BZXI 6xOxkjPP+3YW9KpGNNhbA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:AfThMHehCK4=:u1s4R4YeJwJ0yMgzwPDyTa fVt6+iy8Vfsw3mv+cdm76+ZXPuO5wozH9ASnCFFnC7LlEe1aMxUae7jpe5UifHaBQy1DGML0i f/pi1BBBDchJtYkU6rhgXr0vhkAvPIM5d/kEZtfOTWX4QR0RaTPW5k5cIRWQXbjSj2Qr03OUZ ikv6AfGQM8aCiXXeqZsm5TAHiw/OAg91a329wOwXpe5X8Q6FUaJDsT+ZNreXWhtsy0trguv1p TYM8wSfl4fjJmWxAvebEYCQKLyzKiqo643Whs1nJ/u3XgEn8lP/2v2mmW5/t6352V/FNer621 QtkLdSay8L+FcJ6LU64+2dantRbpNKP6nTsQsQw5H74K2VpzIDsOTuNGVOr0QPetwFhnBiPx8 OnhQzRK8A7F09Qq4r5rxHayga4xpM45X9Ei06MJyxN4nZV9ZNBlU3JH7SjXntM/jwIzl8sI5M cHRfbEXIPlpTFsg/9BPFATY7oa7fsbvPuhLdg/Sf0nXBII804wfeTVWKGHWX9rcihECxEg5MK SQY16/kgdY1o5OYDyB1fapq20sF0/XJNjBJB7cJ5KKApeWXGl82bZhVlJcvXqTMhvrMm+/+N2 IcBIiOCNAmxYE6DdtExMEHtCJc01sjapWylqeQS50LSgC27UPgDwZ2h1dt6Fs3PTknRGVOXbm 7jivkeav9TnleVqShp6lLO7Ui25AMHltFST91Nsd+JcrvuwvM+S0Est4nRfQQ3jk0uiBfVwUF PYgg1C8GhCLNrrmpvZ5wKeLCmqdhIMnPz6ol8xbau7GhWQAB8djtSF9NnwSB+yrZaB+8VoIaa 9giH5zCQVEbGEY/g4T9291M8CQcMAl0z+wG6XV0oCDEd2XT79g=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vg5lqBXu9kXFXMI1a54QEdRXFY4>
Subject: Re: [TLS] New Version Notification for draft-friel-tls-over-http-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 15:22:25 -0000
FWIW: I can tell you what the threat model was with the layered TLS work. Let me give you a very specific example. Imagine a Bluetooth Low Energy device that communicates via a phone to a cloud-based service. The communication from the phone to the cloud uses HTTPS. The communication from the BLE device to the phone uses ordinary BLE services/characteristics. The Layered TLS/application layer TLS would in this case run from the BLE device all the way to the cloud-based service at the application layer. This allows us to provide end-to-end security across a proxy (in this case the phone) and independent of the underlying protocols. Does this make sense? Ciao Hannes On 11/07/2017 10:21 AM, Alex C wrote: > What exactly is the threat model here? > > Are you trying to hide a connection from a reverse proxy at the server > end? If so, the server operator should not have deployed a reverse proxy > in the first place. > > Are you trying to hide from a MITM proxy that supplies its own > certificate? If so, then what prevents the proxy from doing the same to > the tunnelled session? > When MITM proxies learn to do that, will we create another tunnelling > protocol inside this one? > > This is a cat-and-mouse game with middleboxes (much like the version > negotiation problem, but in a different way). Keep playing and everyone > loses. > > On Tue, Oct 31, 2017 at 11:17 AM, Richard Barnes <rlb@ipv.sx > <mailto:rlb@ipv.sx>> wrote: > > Hey TLS folks, > > Owen, Max, and I have been kicking around some ideas for how to make > secure connections in environments where HTTPS is subject to MitM / > proxying. > > The below draft lays out a way to tunnel TLS over HTTPS, in hopes of > creating a channel you could use when you really need things to be > private, even from the local MitM. > > Feedback obviously very welcome. Interested in whether folks think > this is a useful area in which to develop an RFC, and any thoughts > on how to do this better. > > Thanks, > --Richard > > > On Mon, Oct 30, 2017 at 3:47 PM, <internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org>> wrote: > > > A new version of I-D, draft-friel-tls-over-http-00.txt > has been successfully submitted by Owen Friel and posted to the > IETF repository. > > Name: draft-friel-tls-over-http > Revision: 00 > Title: Application-Layer TLS > Document date: 2017-10-30 > Group: Individual Submission > Pages: 20 > URL: > https://www.ietf.org/internet-drafts/draft-friel-tls-over-http-00.txt > <https://www.ietf.org/internet-drafts/draft-friel-tls-over-http-00.txt> > Status: > https://datatracker.ietf.org/doc/draft-friel-tls-over-http/ > <https://datatracker.ietf.org/doc/draft-friel-tls-over-http/> > Htmlized: > https://tools.ietf.org/html/draft-friel-tls-over-http-00 > <https://tools.ietf.org/html/draft-friel-tls-over-http-00> > Htmlized: > https://datatracker.ietf.org/doc/html/draft-friel-tls-over-http-00 > <https://datatracker.ietf.org/doc/html/draft-friel-tls-over-http-00> > > > Abstract: > Many clients need to establish secure connections to application > services but face challenges establishing these connections > due to > the presence of middleboxes that terminate TLS connections > from the > client and restablish new TLS connections to the service. This > document defines a mechanism for transporting TLS records in HTTP > message bodies between clients and services. This enables > clients > and services to establish secure connections using TLS at the > application layer, and treat any middleboxes that are > intercepting > traffic at the network layer as untrusted transport. In > short, this > mechanism moves the TLS handshake up the OSI stack to the > application > layer. > > > > > Please note that it may take a couple of minutes from the time > of submission > until the htmlized version and diff are available at > tools.ietf.org <http://tools.ietf.org>. > > The IETF Secretariat > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Stephen Farrell
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Mark Nottingham
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Owen Friel (ofriel)
- Re: [TLS] New Version Notification for draft-frie… Owen Friel (ofriel)
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Stephen Farrell
- Re: [TLS] New Version Notification for draft-frie… Patrick McManus
- Re: [TLS] New Version Notification for draft-frie… Owen Friel (ofriel)
- Re: [TLS] New Version Notification for draft-frie… Alex C
- [TLS] Layered TLS ... was Re: New Version Notific… Hannes Tschofenig
- Re: [TLS] Layered TLS ... was Re: New Version Not… Salz, Rich
- Re: [TLS] Layered TLS ... was Re: New Version Not… Hannes Tschofenig
- Re: [TLS] New Version Notification for draft-frie… Hannes Tschofenig
- Re: [TLS] New Version Notification for draft-frie… Yoav Nir
- Re: [TLS] New Version Notification for draft-frie… Peter Saint-Andre
- Re: [TLS] New Version Notification for draft-frie… Alex C
- Re: [TLS] New Version Notification for draft-frie… Hannes Tschofenig