IETF Logo Mail Archive

[TLS] Draft RHRD

"Salz, Rich" <rsalz@akamai.com> Wed, 01 November 2017 14:18 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35B9E13FBAE for <tls@ietfa.amsl.com>; Wed, 1 Nov 2017 07:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDNHuh01imAA for <tls@ietfa.amsl.com>; Wed, 1 Nov 2017 07:18:34 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D44FA13FAF6 for <tls@ietf.org>; Wed, 1 Nov 2017 07:18:33 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id vA1EIV13015265 for <tls@ietf.org>; Wed, 1 Nov 2017 14:18:31 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=wqVrpP9UX0EDeqNhadWuuJF/JLv96s5RHoRM7ZoBi1w=; b=JU5M0eMAMEP+9Dy1IAqMMoUV63kZYp/mfWATPWDlfFYN7eeyCIwP3UB2xkhIbZumea6n kset3P6AFVcscj4MiAzeEOEy5IOv2D0lHrrESwQ+mLSsYZfZs+4y8E9hOjJwGQOT2kgw sgM6SwXE0S9ok02byJgWwbU1ncL2V0RgoS40CPwv+SXiPUVGiuEKjTUpYeIVe4Chq8DS qiANS2IxE3ocCCvujPX1+4szs+yAyS2Nx5m4UHtm1QjgTUJ4H0DB9uSva9DUPz66oviw OD1vAFe0DJwtUqk1pc8mr77kVwtKcnxoQjczPkyB1FPBOwkJ7cpFad2pJuvlsWRce2zY fw==
Received: from prod-mail-ppoint3 ([96.6.114.86]) by m0050102.ppops.net-00190b01. with ESMTP id 2dvmqnxxtd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Wed, 01 Nov 2017 14:18:30 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id vA1EBKWi020841 for <tls@ietf.org>; Wed, 1 Nov 2017 10:18:25 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint3.akamai.com with ESMTP id 2dvn7w65t2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Wed, 01 Nov 2017 10:18:25 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 1 Nov 2017 10:18:23 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Wed, 1 Nov 2017 10:18:23 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Draft RHRD
Thread-Index: AQHTUxxGq1PtJ6qqTE65Tfal4qdsDA==
Date: Wed, 01 Nov 2017 14:18:23 +0000
Message-ID: <C2DD7992-0A5A-4970-8DDB-DBA651B4D6D7@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.35.44]
Content-Type: multipart/alternative; boundary="_000_C2DD79920A5A49708DDBDBA651B4D6D7akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-11-01_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711010198
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-11-01_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711010198
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/y_n7Giw1gilfHKmSalLAd0ZjQU8>
Subject: [TLS] Draft RHRD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 14:18:35 -0000

In https://www.ietf.org/mail-archive/web/tls/current/msg24789.html, Nick Sullivan concluded:

>- on the other hand using draft-rhrd is safer than allowing organizations to hack single-key escrow into TLS 1.3 or continue to use TLS 1.2 with non-forward-secret cipher suites

I think this sets up a false comparison.  Existing TLS 1.3 debugging systems – Wireshark – can debug individual TLS sessions with the session key information being made available.  This is what the RHRD draft would require an organization to do, but it adds the additional signaling that the client is willing to allow it. The Wireshark example shows that the signaling is not needed.  Servers can unilaterally do it now.

I maintain that the cleartext signal servers no useful purpose, except to provide a mechanism for entities to segregate traffic.

v2.23.0 | Report a Bug | By Email