Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Dobbins, Roland" <rdobbins@arbor.net> Sat, 15 July 2017 07:55 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1C7131761 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 00:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.701
X-Spam-Level:
X-Spam-Status: No, score=-4.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sReNKBG0CODW for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 00:55:00 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0131.outbound.protection.outlook.com [104.47.36.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6BB8131B05 for <tls@ietf.org>; Sat, 15 Jul 2017 00:54:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=F0k6+vNHtSCYocWIsuRXn9Zi9gFGnhcHxqEK6IOWXwY=; b=V+sh+n8NnCedvwHp3SY6av77ujNex7vlhOXy6gXplpvBHTcuOCTAR06vgiI9tdoqk7T8vI16L/gJv+SdT6TmkFzoswFKw/OMOalYsTzy4IBOzlB+qKKFkrqGUPD2MTqFLNiiUt4Bnv4bTjqhPPCSNQ5xYhCFao+L9HEfkCODx0A=
Received: from DM2PR0101MB1039.prod.exchangelabs.com (10.160.129.156) by DM2PR0101MB1038.prod.exchangelabs.com (10.160.129.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.13; Sat, 15 Jul 2017 07:54:57 +0000
Received: from DM2PR0101MB1039.prod.exchangelabs.com ([fe80::810f:2255:5d85:2fc7]) by DM2PR0101MB1039.prod.exchangelabs.com ([fe80::810f:2255:5d85:2fc7%17]) with mapi id 15.01.1240.022; Sat, 15 Jul 2017 07:54:57 +0000
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: Ted Lemon <mellon@fugue.com>
CC: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Green <matthewdgreen@gmail.com>, IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Thread-Index: AQHS/TNOetAoAc0WMUGwvSG+0rIljKJUgY1igAABS4CAAAIPEw==
Date: Sat, 15 Jul 2017 07:54:57 +0000
Message-ID: <44AB7CB8-13C1-44A0-9EC4-B6824272A247@arbor.net>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAL02cgRJeauV9NQ2OrGK1ocQtg-M2tbWm2+5HUc4-Wc8KC3vxQ@mail.gmail.com> <71E07F32-230F-447C-B85B-9B3B4146D386@vigilsec.com> <39bad3e9-2e17-30f6-48a7-a035d449dce7@cs.tcd.ie> <CAJU8_nXBFkpncFDy4QFnd6hFpC7oOZn-F1-EuBC2vk3Y6QKq3A@mail.gmail.com> <f0554055-cdd3-a78c-8ab1-e84f9b624fda@cs.tcd.ie> <A0BEC2E3-8CF5-433D-BA77-E8474A2C922A@vigilsec.com> <87k23arzac.fsf@fifthhorseman.net> <D37DF005-4C6E-4EA8-9D9D-6016A04DF69E@arbor.net>, <CAPt1N1nVhCQBnHd_MCm79e7c1gO6CY6vZG_rZSNePPvmmU_Bow@mail.gmail.com>
In-Reply-To: <CAPt1N1nVhCQBnHd_MCm79e7c1gO6CY6vZG_rZSNePPvmmU_Bow@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fugue.com; dkim=none (message not signed) header.d=none;fugue.com; dmarc=none action=none header.from=arbor.net;
x-originating-ip: [2405:9800:b408:a9c1:213f:172e:972e:6441]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR0101MB1038; 7:VFGjixaOaPue8roXtLwZLY3piWGM6BwS6pALooK/tuMTEAPRHKHJML0q+DNxdz4tBahyt0KR60M/XC507NCf5B0w14S/4IwLsMsCkRo4/fHxdjvgMJaeGKaYoQoNZUhvBXGFJJxdcfLMEENrVgLquRp4pZTIxrua0dv0IFq4r9uQeb3fihJXq58a81f1p5zmYDZdTCb4BYKrm+FveL0NKtoRsx+jOk1xrpyCkHmj9AlH/2E9FN9FFIsaAUZ5k1E4F+itj4rAPpwLZE1vg5R7Nwjly3D+tS+Q9grxX1qyZVAXDwlEiMv8vko1/AhO8UPGA4Xo74ojbxBJ8EGv1TlIr2ZlLL290FNznY64W2JO8gyMKcI+DByvUSBt7JXTzYpQEDrG41rFmfIpSq+l7r5SFSgbUOWptSWyKzy+dB5YlpwqSH5tUURjx5Z8xP6dtNXKRC3YaybKAGK8JOxk9cfwusINKOmdFglCbMn+5l7zDXxd0XDt/M8nRziLcoT/9hi9zuVZUTs6+GvQNf9Lsd6AvQH/aLOsLaS7FO33u2zlyp1ufdR+wDMywbISbViesgSVDIaltFo+4i1sVXeB0RaFj69em3wvhWwvJGgvpiBIuqY4qIDC7YIct4KVRFbI1Z54oFQ0nLAhRN1wNdULSXyMiuvPdbsZczfDTKLtD77/k7lCfNkmjCyRWS1f6GNXYgZ/cxErdqvr5QBsy4qlfKX9rG3Tfvlq0s0KkSA/8X8R3XUlVuAzmE3Z5F29jEtsKeczpFN2roNmPxTvWoiVDRaWWMipTTRGFhCp7HBxT2T7mNQ=
x-ms-office365-filtering-correlation-id: ebca30de-f2c4-4a8f-4ee0-08d4cb56c9b5
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR0101MB1038;
x-ms-traffictypediagnostic: DM2PR0101MB1038:
x-exchange-antispam-report-test: UriScan:(278428928389397)(236129657087228)(192374486261705);
x-microsoft-antispam-prvs: <DM2PR0101MB103888CF38438FFF658A3370CAA20@DM2PR0101MB1038.prod.exchangelabs.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(2017060910075)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(3002001)(6041248)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR0101MB1038; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR0101MB1038;
x-forefront-prvs: 0369E8196C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39400400002)(39830400002)(39410400002)(39450400003)(24454002)(53936002)(110136004)(38730400002)(6246003)(6116002)(102836003)(53546010)(76176999)(50986999)(3280700002)(6506006)(54356999)(81166006)(14454004)(3660700001)(8676002)(39060400002)(189998001)(2906002)(33656002)(36756003)(8936002)(93886004)(54906002)(6512007)(99286003)(6436002)(230783001)(5660300001)(305945005)(478600001)(4326008)(6916009)(25786009)(7736002)(82746002)(86362001)(2900100001)(5250100002)(83716003)(2950100002)(6486002)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0101MB1038; H:DM2PR0101MB1039.prod.exchangelabs.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2017 07:54:57.6092 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 54f11205-d4aa-4809-bd36-0b542199c5b2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1038
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ydRRd_mKtywdO0sB8T336r34u-4>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jul 2017 07:55:02 -0000


> On Jul 15, 2017, at 14:48, Ted Lemon <mellon@fugue.com> wrote:
> 
> In the event that it is not feasible for an operator to obtain the plaintext of a message without the key, isn't that because they don't control either endpoint?

First of all, what goes on the wire is often contextually different  (and probatively so) from what's recorded in abstract log files. 

Secondly, administrative divisions within a single organization often impede cooperation between those tasked with securing & troubleshooting communications and those who 'own' the assets in question. 

Thirdly, for both security & troubleshooting applications, the hard requirement is for real-time visibility & possible intercession, not ex post facto analysis. 

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>