Re: [TLS] Non-TLS opportunistic encryption

Tom Ritter <tom@ritter.vg> Mon, 21 July 2014 17:18 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20F091A026E for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 10:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.779
X-Spam-Level:
X-Spam-Status: No, score=-0.779 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWPbC_NHcldK for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 10:18:02 -0700 (PDT)
Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com [IPv6:2607:f8b0:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A3081A02E5 for <tls@ietf.org>; Mon, 21 Jul 2014 10:18:02 -0700 (PDT)
Received: by mail-vc0-f171.google.com with SMTP id hq11so11199249vcb.16 for <tls@ietf.org>; Mon, 21 Jul 2014 10:18:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=YcwmOpj6Cr7pLIk6BYq0qoxPspfbtZP+x8UCCgJukbo=; b=sCknBuXzeNoYp7PjoXsCC/AthMLO9db0OOQr9ijakMEs/JfnaFoQkZqU5aYNg8ORsH tJfbsCFg/r1fioL6ySKGWTreblUkbIkrHsUhkDpFCummK3g8x+TQNKF8ih3Qa6oT06FD CNTMD1r6TbJfvdzLl3NUYKSFfY1au7HgHF33U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=YcwmOpj6Cr7pLIk6BYq0qoxPspfbtZP+x8UCCgJukbo=; b=LXP+GyramtzgSxCrC67HXJ3gKp6WjDejUiZiHosb16ILjgRPzlQKq9P6Nknaty9iK9 sYGsUPE6nMHuM7u1Bt1ssQGYZpUWSGigkWwy62PnHcpoFuzOjZZ1A1GMDuqdo5smVN0S biPde0IQIBVmZ4b3ZsxmGaIsx8aemUYKKn49naHGBdL94xFfaMazhTmbig4i/h3IJDoo bzh7Y29Qr/HUJVUdsGV8wR3gvHku9jcEqS9ldtVsoNWCHFN4qBB8sIuKKJJSYvAwNxi6 HFtLpA6+AG3CVgIwTIcUaajJ6P1rW5bTFgpFKnhEvH8I+q2LWiernRgKDEZK8tYS8bUu I/6Q==
X-Gm-Message-State: ALoCoQkKLRjIevDn6ZZj41wMdYg1WZD1BUtuG0vURqGsxLlRvCz196EJSs7ejmI3yx7LhH/o/ihB
X-Received: by 10.52.84.2 with SMTP id u2mr3448469vdy.84.1405963080772; Mon, 21 Jul 2014 10:18:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.124.131 with HTTP; Mon, 21 Jul 2014 10:17:40 -0700 (PDT)
In-Reply-To: <CAMm+LwjYE2ZffBTX7=VYR9mvRFcr_vqBNucY2fx8N4opjMZ_Tg@mail.gmail.com>
References: <CAMm+LwjYE2ZffBTX7=VYR9mvRFcr_vqBNucY2fx8N4opjMZ_Tg@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 21 Jul 2014 12:17:40 -0500
Message-ID: <CA+cU71=_MZU+Ue7J3ja_Ud3tgewSoo1pGR=kexkQTiGizfK=ng@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/y-4sWRnaYp2gwkcmAKvHhLnTe7c
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Non-TLS opportunistic encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 17:18:03 -0000

On 19 July 2014 11:28, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> If we are going to insist on 'encryption everywhere' and accept
> opportunistic encryption then all we need is a D-H key agreement and
> some mechanism for applying encryption to packets.
>
> The result might be TLS-Lite, a very minimal subset of TLS or it might
> be a completely different protocol. But the key thing would be to keep
> it separate from TLS so that ubiquitous best effort TLS does not end
> up weakening regular TLS.

It's not clear to me exactly what you mean by 'weakening regular TLS'
- I'd also disagree that opportunistic encryption should get any of
the UI indicators that TLS gets.

I'm not sure if Opportunistic TLS is still on-topic for this list, but
the primary concern I've seen people put forward (and agree with)
about Unauthenticated Ciphersuites or a DH handshake is that with
self-signed certs - you can build a Convergence-style in-line
authenticity system or a CT-style after-the-fact detection system on
top of it.

With the other options, you lose that capability.  And if you try and
shoe-horn a long-lived signing key on top of that, you've reinvented
some subset of TLS+PKIX - why not just use that subset and not require
any (significant) server code changes.

-tom