Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

"David A. Cooper" <david.cooper@nist.gov> Wed, 25 October 2017 14:23 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5720F138726 for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 07:23:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VYILzchK9AwG for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 07:23:44 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6DB713B47F for <tls@ietf.org>; Wed, 25 Oct 2017 07:23:43 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.361.1; Wed, 25 Oct 2017 10:23:33 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.361.1; Wed, 25 Oct 2017 10:23:40 -0400
Received: from [129.6.105.183] (cooper-optiplex-9010.campus.nist.gov [129.6.105.183]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v9PENMw0009117; Wed, 25 Oct 2017 10:23:22 -0400
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <cde0e322-797c-56e8-8c8d-655248ed7974@nist.gov> <FB95CAC8-C967-4724-90FB-B7E609DADF45@akamai.com> <8A5E441B-90B7-4DF4-BD45-7A33C165691B@gmail.com> <3BA34D7B-BB04-4A1F-B18A-B0AC25402C4B@gmail.com> <0f9073f5-271b-a741-1a1e-f20ebc506d61@nist.gov> <9E26AFA9-2E72-4E8C-B304-553A2C851DC4@gmail.com> <2d45c53b-cef3-7e86-3d6f-3d486b1342b8@nist.gov> <74265928-8252-4CA1-B6A4-45296F74637B@akamai.com> <5fd2adb6-ed9c-2368-34de-db0597727e68@nist.gov> <2419b509-c1a5-d867-92c9-f4713804af91@cs.tcd.ie>
CC: "tls@ietf.org" <tls@ietf.org>
From: "David A. Cooper" <david.cooper@nist.gov>
Message-ID: <003ff6b5-1e1b-17cf-8b45-3bdd8562b902@nist.gov>
Date: Wed, 25 Oct 2017 10:23:22 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <2419b509-c1a5-d867-92c9-f4713804af91@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xgndo4-BiyUTIrRG0Gx543_aCsY>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 14:23:47 -0000

Everything I have stated is my personal opinion.

Note that I never suggested that I like or am espousing a certain 
approach, I was simply stating a fact. In many cases today, a TLS 
connect that appears to a client to be terminating a one place (Company 
X) is actually terminating somewhere else (Hosting Provider Y) without 
any clear indication to the client that the connection is terminating at 
Hosting Provider Y. Nobody has suggested that this is unacceptable or 
that TLS is broken if it can't prevent that.

TLS is not an end-to-end protocol, it is a point-to-point protocol, and 
as noted in hosting company example, which you claim to find so 
troubling, it isn't always clear to either party what's at the other end 
of the connection. It might be the entity the client thinks its 
connecting to (Company X), it might be a hosting provider acting on 
behalf of Company X, or it might be something else. The best the client 
can hope for with things like TLS, PKIX, TRANS, etc., is that the server 
end of the connection is either Company X or some entity authorized by 
Company X to act as Company X for the purpose of being the connection 
endpoint (and, yes, Company X may have been coerced into authorizing 
some other entity to covertly act as the server endpoint). I am not 
saying that I like this or am "espousing" it, I am simply pointing out a 
fact.

Similarly, the best that TLS can offer in terms of privacy is that the 
contents of the communication between the two endpoints is not seen by 
anyone else *unless* at least one of the two endpoints (client or 
server) chooses to provide the contents of the communication to some 
other entity. draft-rhrd-tls-tls13-visibility doesn't change that.

It is also a fact that once a client provides data to a server, there 
are no technical mechanisms that would allow the client to limit what 
the server does with that data. As has been show over and over again, 
including by you, it is very frequently the case that the server that 
initially receives the data passes it on to others. The others may be 
back-end database servers or anti-virus scanners, but the client has no 
control over what happens to the data once the server receives it.

I have not tried to argue that draft-rhrd-tls-tls13-visibility is the 
best solution for addressing the need for visibility within the data 
center. Perhaps it is, perhaps it isn't. But, I'm tired of the abusive 
and false suggestions that draft-rhrd-tls-tls13-visibility is a 
"wiretapping" draft or that it is defining a "please-screw-me 
extension." These suggestions have been repeated over and over again, 
even though they have already been countered effectively - "repeating 
points already countered is just disruptive noise."

On 10/24/2017 10:13 PM, Stephen Farrell wrote:
> David,
>
> I'll go back over your mails tomorrow but was struck by this...
>
> On 24/10/17 23:39, David A. Cooper wrote:
>> I haven't even gotten into the question of what does it mean for a connection to
>> be MiTM'd. If Company X decides to have its web site operated by Hosting
>> Provider Y is the connection between the client and Company X being MiTM'd? The
>> client might think it has a secure end-to-end connection with Company X, but in
>> reality its data is being intercepted and read by Hosting Provider Y, without
>> the client's permission (and most likely without the client's knowledge). How
>> does TLS, currently, prevent this? Why isn't anyone demanding that TLS cannot be
>> standardized until it can be proven that such a scenario is impossible?
> That strikes me as an incredibly nihilist approach you
> (or NIST?) appear to be espousing, which is surprising.
>
> As a question back to you: would it be ok if NIST were
> to reinstate Dual-EC? If not why not? After all, (based
> on the above), all that'd happen is someone could do
> stuff that everyone knows (since 2008) can happen. (And
> no, with the current draft, the client does NOT know who
> the snooper is - it could be the NSA or the FSB and the
> client can't tell - and all that was already discussed
> on the list.)
>
> I suspect you'll say that it's better that NIST do not
> add Dual-EC back, (and I agree) because we're better off
> with honest crypto. And the same is true of TLS - it's
> a 2 party protocol and adding additional parties breaks
> all the trust models based on TLS. So it'd be equally
> good if NIST didn't espouse breaking TLS, at least IMO.
>
> If you can show me where you (or NIST or anyone) analysed
> all of the uses of TLS to check that there are no bad side
> effects, I'll be interested in reading that analysis. In
> the meantime, your personal evaluation of your risk is not
> something that I find convincing, sorry.
>
> S.
>