Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Roland Dobbins" <rdobbins@arbor.net> Mon, 17 July 2017 15:04 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A263131C34 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 08:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.701
X-Spam-Level:
X-Spam-Status: No, score=-4.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3saHEP_9Gwf6 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 08:04:15 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0111.outbound.protection.outlook.com [104.47.34.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F30AB130019 for <tls@ietf.org>; Mon, 17 Jul 2017 08:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LRkouCJqDGYMEcFGoasZSDNRB44JeFt+ew5UblgcjgU=; b=nYLKNL3dgiQW9V1RAcAShc7D8Gzv3HbzZ9WkRo4TROKGQ56oNJzyVWUzTqpu7q7b6fa+XDF1bLWSsn6jYopDF1gnfSy3xLVzXEjsoJXtynyb/p044OvSGL437PQtm6VyRGkTmQ1knisnbgq/RtzWZIqdchjlJUSgopBcxvtccPY=
Authentication-Results: ll.mit.edu; dkim=none (message not signed) header.d=none;ll.mit.edu; dmarc=none action=none header.from=arbor.net;
Received: from [172.16.1.3] (88.208.89.131) by BY1PR0101MB1029.prod.exchangelabs.com (10.160.199.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Mon, 17 Jul 2017 15:04:13 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Mon, 17 Jul 2017 17:04:02 +0200
Message-ID: <B675B1F6-FCD3-45A4-9345-0D6597CF801F@arbor.net>
In-Reply-To: <DEAC3D06-164E-4A18-AD5A-5B026ADA1E52@ll.mit.edu>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <8b502340b84f48e99814ae0f16b6b3ef@usma1ex-dag1mb1.msg.corp.akamai.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDeSv+T1ww5_nr6NPgg9k44j7y04tJWC=KeaJF7Gtt+TVQ@mail.gmail.com> <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie> <CAAF6GDeGKEBnUZZFXX0y0a2J2+sVg8VaHh-4H9bhN0Zzk-x9uA@mail.gmail.com> <6707e55d-63d3-01e2-4e98-5cc0644e29e0@cs.tcd.ie> <35f4c84c6505493d8035c0eaf8bf6047@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcq6_ML3yHSQTy-t5irYLS10VVzk_R+7nAUKqQpgcCkrQ@mail.gmail.com> <a22d69c80d8d4cd2981cd6ede394c96f@usma1ex-dag1mb1.msg.corp.akamai.com> <F533492A-ACF1-498F-A03C-B829DDFFDD36@arbor.net> <057af2f23acc450a9b896f9f0c81b06d@usma1ex-dag1mb1.msg.corp.akamai.com> <96E48B74-B718-4F9E-A12E-E43E6A5147AB@arbor.net> <DEAC3D06-164E-4A18-AD5A-5B026ADA1E52@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [88.208.89.131]
X-ClientProxiedBy: DB6P190CA0002.EURP190.PROD.OUTLOOK.COM (10.175.240.15) To BY1PR0101MB1029.prod.exchangelabs.com (10.160.199.154)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 15433b10-a827-42f7-7fc3-08d4cd25166c
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY1PR0101MB1029;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 3:Gby7eI02N4iu0I0poUS38OVufx8Z78AGr/kNwLGlFVeLBzMAX9ZPCBjdab1mHinKN241N6pHIGAQ65x6Dvb1Al4wVz5YTYwWd8VhNHtkc/4EBVzDo6bTYZjTkcK8iiaaqZKac8OrcrH/mp1XeR+t51/NGPRZH0S3+6NdnXH+w1JOX2vszefakOj92tLghdtITwkzJn5hn+vI8G6DCEmf2cxOqOYKh7xPJPsKIlSEuX8LbMC8LT/oL8HwS8tO3Waj4AvncPAkaqzqr3mVuoUrH9SMyPCWns+ed617yS4USZSeGD5fs3q9e4ebdBfCHx9A+Igo6DSYDNaSyJP0yXyqa7YFC+GgVmXGB7gXFnvj5a+Qe0o4+QxvT6ITjtBJV+ZrKF4lJ4revcK9PtMOBByA4v95E2Df38ad+uCc/nhmneI0SZpWJhdkfzxYO3aN9Vjjnv3YYYqdjmxRm8fvEb8n37LKgmTQei9YFt/zGRb+EZJUSEBUH9iGzslICK4bawFBfB+Wk5Cg27iTe6Hi7MKbILwYCyozk58v2/f3OWxIiBYpy51w+2Hn+1MsxWTjc5/GO6nbzhK/jmp0e7lrCWwfs1bSk3KyUign1v5auRqxDUrEONgb2T8zpK34IYjEy6V2DxS6e0AIvfYkTqhLVR4PQ18bhn8gw+eAYdrS0puxpxfv095W420EGeer6GQDXyuYGsyxxDe+L6zNvxWEfvEMDTSVAnqNJWQfDV8yG1CeU7c=
X-MS-TrafficTypeDiagnostic: BY1PR0101MB1029:
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 25:FoFa79pOSSMz6+KLruMmUUTVby00u0YKdMfeymt59W+q89A3+kjPhwpKMxE9kPXkkyUrOyarRgVT4CPz4vST9PFPwgo+XygjCPjqHC/UwmbPvQ5fx/KvWDIr3L0zf3/BJRqKwGZsOVxnm6O7TWNVnSHKTjidnCm+vCagQcrpI4k2hQ4jOccDOCagknRHpJPZEV2OwuXZip6ohcMQHp5ecg9kWIVa6254FqjzBDkL+dF0OEqsPVrw2Xi6Ztpq7yd9W1YubW1DIE18qqMnEpVDfIFmpJht9bOg0ziqDW5NIq8TCkGvwVG+WA6PmWMSYQVXr+FgIvT0iG1Kkxd62Idk6A6ywyf5BnwVWBsoMByo3nL/wkupQOAuZkAwM5EF10Q/XZ5znuDeK1wuDSs1VQu3W8tM4ugwJCwwjnmqntvAqgtZnJ1vagSMg+ukoqyqnCS4SGB0ARc4R6Zyp8hGEQHlsGKHZM59fzr6K1N5kthro65T6TUsyzeL874Cj0Vtt8u1IJ4Bb79BBt6xJuHEQjBqFuQf4n1t9PkXYDU8t6gDZat2HK8SsfLOBfjMUr5a/R7kg03X7EFWfJCkxMnZrbcgHy8931MwK+LyXJRVFPyIpbEvCchBB89znoVEUTz9gR5Iw8xhdzGnh7Xggy7dJuvzKDpvecqMf4eRa3FOJBBy5pjp4RHelOngAaINqF12JTzQPi/Qaa2iXVF1Tu4rLkbsAzxvbi9NhF+YxJTrQs8clLhEn0REBxrnba/iNlEj3yKw0zi74v40FErpUgr8A0YrDGqkd4BVEp+BVJAXyf92zaPiUJajRlbp5UakVmg/HUSjk85dDJGzQgkJfJIu5qDbHUEfCvV221GjaiW68QzZYUojmjLvGvmLun6If6aRhTUmru3VxBwkVi+RwiWZIsSjgZDBiM9Kx7ZrLVlUjSNBmlQ=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 31:bvamb3+Xv6kgiBIS/Qr/39ZpItO0WPOkIUVoihbNOCfHOWDu1Tzz5ZQWHFrbEJZL5BBHkpQhwBZBwbwNPCivOj37hLIPlgEweZZpSuO89W3jlKkX9wMT5O4adtiQ728Bm7ebIRfQDeEqHpCDZ3X3BxSQlXLmI15Umhzp1E4pIXJK6dCNWvoQ5ZpBsMqu4IdDUN4UpHJ9kuekWeuMmRQUCVL1Q9W/ZXxA476rW+Boev2XyWtjg1+6c3tZobLf5jVppUzozS21XQ067FFRbwhF3oB0f0MDqLJzrTwU9CoqjhvmceqQuLax9r/u6baeBuRpYxTW68uwJc343XzT2VB4hVN1cg2FvvER+B//c7WUMOPGD1oi2EbTVsoyPGepsawHSbnPfkN69ChST0J5KUl6XVLuEis9HpX3gOeQZP6L6Gx4ZyoWUntA+N77PVts3lgC/iGksgn25JfX6oLms+DdT/LxDbmDwbshFY2MXUUQiIqQFPIBqimzL3fagBFipSEx3WWycHcJ3/18J3ISeAg2nivtCASlKYFLeyWEUlzFHTPDhDHpd8ryRVb8PjwjDdXX+9DG03xyalw8ZxAtWaargDtShS0DWqn1aezppz2SjtzoTHj+H48wJv4meSVnyx9mbXgYaHfdPjsIMUG/jpTl/4QR/TW7wipeTSpG/xTXv5Z9LSyNgWgP6iRg9kZn5oesnhCcxEibh4fHvSoi09l5YVNHgTnzsKrDGJkDZtBiof0=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 20:4nJy52lsHJj/vuoTY+qNYKZSmqgMvQjF0knUZiH2bbQ2m0L8nr/ONaj+0/cuC/LgD3C7RvyL95nhhIpVQ/NQhLkoieM2cect7fsX8AbjvBIc5mbQ2ZUr9yzEE1BHGILr1yLpIf/E+cMv19UlWoNc0lCxTePiSXCMH5ZHMu+zR+QLLXx9gBlHxmUhKFWFCp3ts2Sm7WlAqELkDaXVDvzoY+WqPWkm+Hqu3m311RUzyIaQ6Te9uvKeLb0kVqtFRDeHjBA6IIZ5iTsqWvAfVsRY6nxMRjo3YdWwR4lLru+wc2VNUv18WuYd7bW533dBcUuB3jyxGfg1Cjnw+zLCVmbIXm2073nA8IH8R9ggdvJ8vaMdnI5pjLtsdxt+lQvUOWcaIfOnIni+pRuGxndI/Xtpq0jZW4QRCV73SQ+Un80KrJcUl9fVaRq5nlaJdJpAMP6hCbw+tj/8ZKqW6TSniuK8wT9j5mHxcUD/s5rGE2APoKiukMhWrBNchI0paKaV+3CQ
X-Exchange-Antispam-Report-Test: UriScan:(246478575198768)(236129657087228)(192374486261705)(48057245064654)(247924648384137);
X-Microsoft-Antispam-PRVS: <BY1PR0101MB10295D82AE7F5F53693A4A25CAA00@BY1PR0101MB1029.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(2017060910075)(10201501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123564025)(20161123558100)(20161123560025)(20161123562025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY1PR0101MB1029; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY1PR0101MB1029;
X-Microsoft-Exchange-Diagnostics: 1;BY1PR0101MB1029;4:k0gIXwq99Ua6aMbep94ToIqueB+xHfO5eN16k76xOn4GcwaJCc4Jl3rG2mnwN4UmutKGvMtmw3nxgiKqPDJPTLkMrvQrcOqoqQfJy0gvtapU69zGY/ZQFXIPdVS+XsWL/aYXVEtK6UcbaZz3y6qOfI3ETwNu/CUEV/+ZjwF7pOgnZIBwHNsW/nthHTCbu7YgCZUFe9+XG/BKbTgfdx1RZ6S80w+c7ggwtX159+sgkHdABjeiM+ou+RBkMDFTsJ4FuTihguFlUyUYiNfwod4cDdNoYpjfmlfzDHH94PfqooR4ro2ThZXovjiSu3OaqQYN33xd9YBCKidYU5vbg+srbGouW7lG6H+ONAmhHFEpNVWLh+heB1O5vum8OaV9TEwugv1j6YJ4fV9xs2NVpkGK8OqZ8b7LEYeheLHoRnrFPj6L4SSDlNilgo6XQJxG7huRXVp0unUITgkENp2KCNrx4Gpz6b2y0ow3m+upCntx4abS8wvqp1rZjegFuxWFlLlH7o73F3QYu+DPRyifiluf+GbtnQV6TBjCJP3/QmubJq5p0am5o3mDrlUdHnOV6v3eIzjSpslzuhZgXlfarlbOMTamAzou0Zy31WBYeSmIWJ7/I+2INEHtX537uLkWa2UWytF32GLWWlsh38+s+qiYK8TC/weTaG15IFpXfQkGHBBS1JIP+YPI77cToo8Hd5BC7HZxXohyIlJi58+ISGPSYdPu/8JV4US4y8k3eN0ukbjIzZNkBKqbdfqux19byF6rMFxd5cjrXkmJ4aqSqv+FfJ3Vu1a+vZynokqFqoTHXmTKW14qXldNs1WPnFkmNKlHLYsVlNc78nzEfHF4jyx5eGlacYkn7y1gnMILaOV7Bi/FY7b7Sn3ZeyXMz57G6fxKIT7Law9Bfko1QPjMteY2u7DqB0swHHkALCDzZFK/aT7efrSefwWHa/sxw21AIxAmX3UhTAQ/FKoZAcaRDqSA41sToOOAJppIBDYC2oYCdGggB4qKoQzOIirqADnYPl/+i7d12mZGclajqeG1c1aZsNr/qf34xh1QE6QGA3M7zIcY9XO6wdeb/Gm0V7dFdC2fP+moDqGzuSozhlclGTv15SsdVOHJNBzIMDz1kDNlfH0RrDUS7SYhZMZmkRPDFN8pOcB7/hoqdsrCpYCt5R912tDy5SFvynTNP1mMQDcpZ1Ew1PijPd7FXkCCs+k6PucopazL4+DBgFdztDAuFkdbw2ipq5392q0m2uSTG67VRmD3JMhdjcaiHXbwwx8OK5MyfqjAZJrb5huQgly2Y1FJykNXynZrLRewa3ChRMT13bOqDz1GoVEfeeoeCgpp4lTznkGbVC+jh6JL6lhnPDIXMA==
X-Forefront-PRVS: 0371762FE7
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(7370300001)(4630300001)(6009001)(6049001)(39840400002)(39850400002)(39410400002)(39450400003)(39400400002)(24454002)(47776003)(561944003)(7736002)(230783001)(189998001)(33656002)(76176999)(305945005)(50986999)(66066001)(2906002)(4326008)(8676002)(23676002)(90366009)(50466002)(50226002)(53936002)(110136004)(38730400002)(6246003)(2171002)(81166006)(42186005)(93886004)(36756003)(229853002)(6116002)(82746002)(3846002)(2870700001)(5660300001)(7350300001)(6486002)(25786009)(83716003)(77096006)(2950100002)(478600001)(6916009)(53546010)(6666003)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0101MB1029; H:[172.16.1.3]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;BY1PR0101MB1029;23:q0qubs7ZnuKrgTkntf819z3I4n56DeiQBfnL0nBT3vg8qoxhvK8YoPWLN9uAmpMXk21EquzheltsFZt5D2yyn084ju2bIEkIpAgwVRNRLpQGsU/4fwRqy/IGytidOI+aiU1doeFaerupUcL/2bC7wvJb6C2cOYNhZKkHy3FrwN8SfG+cMrVSTNY1c0tdJPNffQSDT9GvKg017UnTVqqe793zFtoQYoPLKVI0/w6Tm9rmxEMti6+85k3MCceZbfDVecDWqjdmzYRujg2/hP7vCmxR32iGGSwA0AH42eFkPB/e1df0L8hYng+I3FSX4T8BxHPgeQz0PqE3GJK+qjDelbJTXgrhM8DDUPEqQVa3zk9hw/SpJI/MQjho7sEkX80XnZCpCZqBZzh/C0X3pvSA8xpS+bALzQRC7qBeBevjFIrO+8CvW+I+EPGOX1rer2plGTEwXxz9Xi3mzI4QIa5KByQiijN71F1MCUxuPeb75lgJCmtFqkVu4js1+MFUEilUnBEAAzKi45j17gx2ucyHXlTrQ63W0X/YW6PqW74kS9wgt2+YdsNELCHh+OfLPtrxiMbpxjUk+8vVBJDMj/8Gvg2HcVgBpv6q1zIAz62UkUL1dcGIy3s9gqcLQTD1vabz4r27qyNpA5VfyT3sF+ZsYIbD7h3adj8XqHNVbM2Ab0z88oufDbAGvWZ9gfLGA7HV3sOSKD5vT5q87PECXhFi+l61VE4pdGs1KC7gjVl1wMyAeWLbEgNdb/XCSJMtPSIGLB/40BcM6u7W/AQxT2ZO6JcsNeEsnVd0hv3gDuRWxdLieuFEKW8Qvzr5MLSfOSWRU8WMkMTzZ867uvosiN3rpowPWuKkm1q66KTdsh5SWhw7P7YbOKzENafYN7XJ8cOR2ziXMQgGLUm522jPtMoB5aj4tfWgM+3frt/S59qwNJQv6yEVU5M9NS5EnSbMTKhL2ClUnRqJqt4zXQhXa3pFn0viOky1ptbXIbxWelqACQYAk435eahYVH7UErcKCfLoLfbRJ/qjJvCGnzpgYGOmJI88lofREKr8Onii0c3AAzF8A2Znv6mWsAxxRWX95gasa8M00KwPXDSoiBHLmHKvOaA3IznD2NwYqr9TMLggD6nTPyJNAtetRd3lSiwhalWmaYYGQmzUsUOl8fXMq3/eAxntefSp+xhN1AzTEfRECFTeh0GguIhV034UMOvVJmEnfnllsjSLkZaFvRSxI9Ll01xQhBfudGkVnjDRtl8eeNGmDDEpUTtqcRKjkkCXRoIBpzuhgs7L+wdylGDB+YCcSAJtSHbZ7EZHn/23mUM83Zw=
X-Microsoft-Exchange-Diagnostics: 1;BY1PR0101MB1029;6:MihDIVgcjBIOMsfYZnVcQmGIdy32wow7ZmnUmNgagdkEXpgQ+rD4ykaOpLwuLQkMV+giyglfbeU76F+xNOAN79She2wb2WacZ6TzFJDqgGEj9s4nEXm5ZYgtCQUEq/ngosVFEHLyPcms7+Bkeo/eZlyIjz8efEp4kkcuxbaizTA8C1w2GWYLci+Q8Yppk+12Zp8nihP6bwaG2jzXv5debfQHsnhP8Rub33YqmTWUkqvnqzeVJc+/djC6dyK8aB9STv1HXRFVy2EEeBJway/CchprXD3XQeL2qs2xeFQrTQLBcd6YskIyLlxay8sjSAweW4f12sShLuB3gl80UH3cLvyoK8M6CYmdCxpD+elllPR6zq2wwP7GDvuXBstPNHCfLST8MRN42fO7+vjaR36TcFAZD98wqjbc2DnPlWdbimrUf+zbR83sMuj8T08aWCGV9DHXj2E/ggpvLSwufvcBR+yHyxzgL8nhEmmY/w8pm/YosJhW31yM8yII9FWayVUHtS9149zl41GvPSVL6w8IJzS941wAGC94npUYMQwTQ4cIZS3cHj6fiaq3fAnP57kP7DsKiNNxzonKBo53kY1/HD5OBfh/MIhE1Wc4UvX4ff6F4ZZt9f0/IE/2mCO0m1xsKsBR/JILJM4ajKus87sgV4Xdb7GtpStgwGIEJSOKCHFT8WX7ozGizZABye9OxMXg+TzeD/6CmHipZtHhJhM5TrOrQ0fuxsvr8hAq6GolZKKX3ZiKwRkxayPgD1bcQYbBV0Ary0UCp+Sns1nuWKcMh/KK9A9yXjSOn74anGDWbKalxq3/kIHjbcJycFs1cRBUlZemhWuUas1DawXh8xZAhARG/0MsocylbZz5lHWebsbmygx78KU/3xY1/hwF2gNpk8idt/hNxlXlFt1QTxEtXV2TjEgmiz0j04boGFbRJ7WNppqbc3SoQ7bowq1l26DNTQZ/8JCyi8iP9FoEd0YiucFfcAkJ6VWu81RCr8o3oHE=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 5:flUiQ05PhAQ2dUH26rMNA3V2PTbu6Z3eejaDhhp5c39670/JKGT3eDQ2MNJYoFdI7J4X015zefqR4UpgtAJiMp35ezpOMJ6TFhFQufZxNXLrDPCXOgnyUFEav9ItejfFCG5ngVh+a1YMrfUKC366I4T2aZaO6apDW1MeeNNu7WEUA3VPnrBaWLxWh8Z7HPTUmyAE5d1c51fMFuNu20syfsxclwFeMyXCiHA4E0CAgBAtWCRW874pWIWoIxqWB+OwhlScSqJKBvbpZvyWUVWuTcJIZWpW9BZLO1iSMvn+0/GRzLv3UaOK9v3cUSLvKeb7lE75+oTQrKeiKf72SjP8dGjFK1j8NVTZlc3SagnAq9xkJ2wEobzeJDLhzdrDGHkUCSqt0zgjq0kA3+nLExL3MoepiEyevqhp7enwAs8Hykx3hglim3LhEAbaGN7XJEFHAvB9LiUGGE8F9VLFyd3+UzKhBcE/R0boIubXuCjRpKyyOtVe64HjJY+ijWF4/ble; 24:N+b16UVEw8i30WF0HhwHlPLjnF7DEZ7SQwLzdg0/Myw74UqQUuTnQlD3icYOLNWyaZ5s26hB4mGCLzXXLrEPtN/SrQxyCYtf13Ny1t9nA88=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 7:5vHdl6mhroHkd9PLeFeGnwg9r9RMoghAKMXZ7k9ng6VzoU55KBYNTUYKpDZBLbPb45BcsD1b3MnVtsj5CrjsgrrJlyw0YIjQQlmDzjEtblT7y9mWTrcBjrs0mimaTTrKV555wmAP275nBZAMlCk9Dwfzctxx605L9o0o+yxzj0JfoS1DWBfgyS/g+WU/a9Oeuy3f+A9H3gbvqNHd8PElqiFN+t6ohxxNcfXhZ+713qTyYWiAFHBv1WU3FeGl7tfPUdIXl71bbwODbYSsWbtNRw+9O3SBkPyRiBesuLyi0ZWtPu5M8Zf/SZgXZp2UD86q61NsjfnXb6vAmc1Sf6d1U8TQaNUuqce4gB3tQzb6zavCe5Mt6AsT92tknBCdMyM8TOUHqiuDIMcXa4v/FPb0GZwpAvD3T59iC3D7f9Yv7t9gWsfijhWn71oEXNx0fkHpDDd2JLRHsuf5uMbq2s7CWeRL6lcdkIakfxXrJ69DsPf4Vbig149DsCAP+JtEYDMswHlYQD8eSaTU0pHpQIJYtrYVni+23NOjOh6lmEtRfL8ZfmqRdo43VXfxsx69DzTomYTzO4omZaNqdfLvWkSdFykFHRmkL/jskbF7xETpGlNRetff+fEZz/IamJAgiW54sLXQ5NF2cO/wHwoMSWS87tOSLxuXm7BDIdgslv9Pv/NDq8xdO3HRu4a39v8n7KeV1s5ysw+bVV/hwfGvOPMFCo5WmhqFeZeRp6K4qY4tQpON0QPOuvZ6MOjY2V/aZNjR1y4f+UM4hgTkyXwlGhx4wXAuzjBggf+I4vStHJ7/bt4=
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2017 15:04:13.2630 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0101MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wV3NK8FAD362J0BGGRCxjSAqrEs>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 15:04:16 -0000

On 17 Jul 2017, at 16:04, Blumenthal, Uri - 0553 - MITLL wrote:

> “But we (the (network) authorities) are the good guys, and we need 
> to break the guarantees TLS provides so we can catch criminals – and 
> here is how we propose to break TLS-1.3”.

The actual concern of intranet operators is the inadvertent breakage of 
an important mechanism used for troubleshooting and security in the 
context of TLS-encrypted traffic on their own networks, within their own 
span of administrative control.

> Considering that unless at least one of the end-points chooses to 
> comply with the “rules” it will not work – the claim that this 
> measure is to help the good guys does not sound very candid.

To clarify, this technique is for use on intranets, within a single span 
of administrative control.

> Who is the intended target of this mechanism? What kind of criminals 
> is it supposed to catch/detect? Surely not the malware that penetrated 
> your infrastructure and tries to “call home”?

Actually, it's been used for this very purpose, quite successfully, for 
many years.  It's also used to detect and classify lateral movement and 
propagation of malware and attacks within an intranet.

And it's used to detect and prevent malware downloads by intranet user 
populations.

> The proponents of the “broken TLS” somehow expect that  those 
> criminals would use weakened crypto for the convenience of the ntwork 
> police. How much sense does this make?

In most cases, the attackers don't use any additional crypto at all.  
When they do, it's most often poor crypto.

> Experience shows that criminals use not just cutting edge – bleeding 
> edge crypto.

You're absolutely correct that a few do - as you note, Conficker is a 
good example of that.

> Plus, there are many ways to foil this proposed mechanism – for 
> example, super-encrypting the data before transmission.

Sure.  But the ability to infer the presence of superencryption is 
extremely valuable in and of itself.

> Then there’s an issue of the abuses. First, not all of the 
> “legitimate” authorities are “good guys” (all the time :). 
> Second, I’m not aware of any “network security” tool that 
> hasn’t been subverted at some point in time.

Again, to clarify, this mechanism for use on intranets within a single 
span of administrative control.  Like you, I would work to dissuade 
anyone from using it across the public Internet.

> The likely result of the “static-dh-…” proposal is improved mass 
> surveillance by authorities, and exploits of this mechanism by the 
> organized crime.

Let's remember that this technique is in use on intranets around the 
world, and that's the focus, here.

> To those who need that surveillance: stay with TLS-1.2.

Unfortunately, this isn't possible due to regulatory oversight and plain 
old bit-rot.

> Either you have PFS and the bad guys will benefit from it too (so you 
> need to detect and fight them using other methods), or only the bad 
> guys have PFS and you might [0] detect them because their 
> “protection quality” stands out amidst the ocean of the 
> automatically-inspected & censored traffic.

The ability to infer superencryption is quite important, per the above.

> Because there are well-known ways of hiding the presence of 
> encryption, at the cost of increase of the ciphertext size.

We should also keep in mind that are also ways to counter-detect these 
obfuscation techniques, too.

> The hope that the encrypted traffic would stand out is unfounded.

Actually, it does stand out, in many cases.

> Considering how fast the attack sophistication is evolving, the 
> likelihood that “they” would employ other countermeasures, but 
> ignore this one is fairly low.

This technique certainly isn't a universal panacea, as you rightly point 
out.  But it's an extremely valuable and important technique that's been 
in broad use for quite some time, so maintaining a mechanism for 
intranet operators to analyze TLS-encrypted traffic within their own 
spans of administrative control is important and worthwhile, IMHO.

We don't want to inadvertently drive them into using proprietary, 
non-auditable crypto.  That would be bad for everyone.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>