IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 24 July 2017 09:41 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E83E12EC4B for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 02:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML41HBd6eS4d for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 02:41:23 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 085E712EC06 for <tls@ietf.org>; Mon, 24 Jul 2017 02:41:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id A96FCBDD8; Mon, 24 Jul 2017 10:41:20 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qmFZhE4CF2s; Mon, 24 Jul 2017 10:41:20 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B0E0EBE2C; Mon, 24 Jul 2017 10:41:18 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1500889278; bh=up75oVk3HAad9zy7HdB3yw/rF/AyZpzrGKVs46J5/Nc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=gDf++ZD+gIDWoT2S38VmKA5X4/hvYVptnAg3VK+WTnl8KxsXi7ZtLDXEM1SgmdRP4 3ewQq5SstAbTfv67utpdC28JyX5DsvdVQvI6kwrmlS8OGsuJJvRnmcps39s+vc9oXT xSuCYXgxR7FMu4httit8mZO7jWdS3/Ch21rHlmm0=
To: Felix Wyss <Felix.Wyss@genesys.com>, Ted Lemon <mellon@fugue.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <CAAF6GDeFuRy0DN6w3FwmR_nh1G=YBi4+qiEcw0MfSRj4SUCbZQ@mail.gmail.com> <20170720200114.AA2F91A6CB@ld9781.wdf.sap.corp> <06AE85BC-87AD-4CA5-8408-44F670358701@ll.mit.edu> <20170720203238.e66zurx5yn2jja3a@LK-Perkele-VII> <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu> <20170723070240.x7kmynzmu4jqco5t@LK-Perkele-VII> <C0772D29-CB26-418F-981B-BC2E2435E655@ll.mit.edu> <35FD3356-8300-405A-B8D8-FC2574DB9A56@fugue.com> <EC5396F6-98D2-4A04-94E5-1618BC8A2C5D@genesys.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <636eb20e-f4e4-0fac-b5da-c12ccc1d6c6b@cs.tcd.ie>
Date: Mon, 24 Jul 2017 10:41:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <EC5396F6-98D2-4A04-94E5-1618BC8A2C5D@genesys.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="nrDC0gP9Tp20OiHKu9HRr5etKIi8Tu9N2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yXrbRPCIShnLePLWDp93bOlyrSk>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 09:41:25 -0000

It's fascinating that people cannot seem to stop picking at
the scab remaining after draft-green. I really think we'd be
wiser to just let the wound heal. (And get on with the work
that this WG has been chartered to do, which does not include
wiretapping.)

On 23/07/17 18:17, Felix Wyss wrote:
> How about requiring a record of a fixed size that either contains the
> session key encrypted with a “leaking key” or the output of a stream
> cipher keyed with the session key.  A 3rd party observer would not be
> able to determine whether the session key is being leaked but the
> client can tell and act accordingly.

The relevant signal is that a TLS deployment is able to be
wiretapped. It doesn't matter how that signal is sent, via
rfc1149 or in-band. Adding your putative field (which is
eerily reminiscent of a Clipper LEAF) is such a signal, and
it doesn't matter what content is in the field today, the
"local" authorities will see that and send you the key to
use for them.

See also the many earlier points about consent, naming etc
etc.

S.

> 
> --Felix
> 
> From: TLS <tls-bounces@ietf.org> on behalf of Ted Lemon
> <mellon@fugue.com> Date: Sunday, July 23, 2017 at 16:34 To:
> "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Cc:
> "<tls@ietf.org>" <tls@ietf.org> Subject: Re: [TLS] datacenter TLS
> decryption as a three-party protocol
> 
> I did a little bit of rubber-duck debugging on this proposal with
> Andrea on the way back from Boston this morning.   It's actually
> better for the server to secretly use a static key than to negotiate.
> Stephen has already explained why: if this is a negotiation, then
> it's possible for a third party to simply block any negotiation that
> doesn't allow it.   We have no control over evil endpoints, and it's
> silly to pretend otherwise.   Pretending otherwise makes us less
> secure, not more secure.
> 
> 
> 
> _______________________________________________ TLS mailing list 
> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email