Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Ben Schwartz <bemasc@google.com> Mon, 27 July 2020 13:30 UTC

Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D742F3A19A2 for <tls@ietfa.amsl.com>; Mon, 27 Jul 2020 06:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfchcrio-bSb for <tls@ietfa.amsl.com>; Mon, 27 Jul 2020 06:30:50 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C640F3A19F2 for <tls@ietf.org>; Mon, 27 Jul 2020 06:30:48 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id l2so4345017wrc.7 for <tls@ietf.org>; Mon, 27 Jul 2020 06:30:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ngJC5gkgJmYNZAA3UgOwqt1nSbCNMAXTeqO5BESn1RU=; b=Q43kpMGvMqDkW1z5+1iBySHshA9s0eNhVLkOuc6oJO3JX9io8cpA90cTA4OaIwLS6I 3+iu+m9Hxk/EVFjxBPcItt8IfVMjZEuJtS3oNdIOsn7g+Skjb6o+pVuuYb60py4DkIQh zbGRGlNtjAanGfw3GqK6zlUmNcfQxPz4zMuSgLgv9pEMFa13KpxqqKiuc2wSw8GWZN95 mUpXmsTMCZiqxup42OuMUrCQ/elXAwHTNHCqyuMP1dU3LN19tiH543YRU8MMd/3Vv0PN WhwTe88kupIao9X0zl9KfkPd8WiKnriLqRiiwBiHU7C9T3gg7UBrfjN5I7/GMraUvKHw 5RMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ngJC5gkgJmYNZAA3UgOwqt1nSbCNMAXTeqO5BESn1RU=; b=grwDXpqCbew5gdULpohyMmRWf8JpYMoEyhgsfhL2sAiexzJSmtmSgm1/gEEqB8nFII eBMXrxKxYU2R7cOhLFSdqzJPQRVWiibwRLSITDFWxbH0O/vcXumMU3xOam8h4nBFvoCO 3GJqCtCfpBz3KUJNWzU96nOj4jUBTP96878RzqmRXWtWFrIkkVGPRCCcGV7WkpeX1zAv FkXHm0wgj5beEfOWkvDAixidlbZe+y/AlHNujaJonpzc9XekpOSAoq+VqtrTezQheV62 TjT7JCXHd3bL+M8iebvwzuD1VGTU04OI+ekyOWKqjmUjQVwMkjzl+83U7MgLK7KXPxNG WP9Q==
X-Gm-Message-State: AOAM531vNuVLmEnnz07wNfD996V+qsflhA0bAf9fN25DL3Chj2OeNSxC fCMcoUZSCRRvwIrGiPCCGi68vopvRMXEAxcUk3Exsg==
X-Google-Smtp-Source: ABdhPJyF5mix/bZQbRzs9XFCxpzTfqZOFlkE+JbKCzm1XXzWOxC26iQjlDdLfS7PrufC3DxiEEaMyg2811JPGLTvsjk=
X-Received: by 2002:a5d:43c4:: with SMTP id v4mr19088055wrr.426.1595856647086; Mon, 27 Jul 2020 06:30:47 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com>
In-Reply-To: <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 27 Jul 2020 09:30:35 -0400
Message-ID: <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000965d5f05ab6c54fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zH-yBQd2fRDQR4zjc42uTr6GKxY>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 13:30:53 -0000

I'm concerned about this work happening outside the TLS working group.  For
example, the question of proper handling of TLS extensions is not addressed
at all in this draft, and has significant security and functionality
implications.  There are various other tricky protocol issues (e.g. version
negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start,
round-trip deadlock when buffers fill, ticket (non-)reuse, client
certificate linkability pre-TLS-1.3, implications of SAN scope of
synthesized certificates) that could arise and are going to be difficult to
get right in any other WG.

The title "TLS Proxy Best Practice" implies that it is possible to proxy
TLS correctly, and that this document is the main source for how to do it.
I think the TLS WG is the right place to make those judgments.  For the
OpSec group, I think a more appropriate draft would be something like "TLS
Interception Pitfalls", documenting the operational experience on failure
modes of TLS interception.

On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=
40cisco.com@dmarc.ietf.org> wrote:

> The document is not imposing any standards but rather provide guidelines
> for those implementing TLS proxies;  given that proxies will continue to
> exist I'm not sure why there is a belief that the IETF should ignore this.
>
> Warm regards, Nancy
>
> On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" <
> opsec-bounces@ietf.org on behalf of uri@ll.mit.edu> wrote:
>
>     I support Stephen and oppose adoption. IMHO, this is not a technology
> that IETF should standardize.
>
>
>     On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <
> tls-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>
>
>         I oppose adoption. While there could be some minor benefit
>         in documenting the uses and abuses seen when mitm'ing tls,
>         I doubt that the effort to ensure a balanced document is at
>         all worthwhile. The current draft is too far from what it'd
>         need to be to be adopted.
>
>         Send to ISE.
>
>         S.
>
>         On 23/07/2020 02:30, Jen Linkova wrote:
>         > One thing to add here: the chairs would like to hear active and
>         > explicit support of the adoption. So please speak up if you
> believe
>         > the draft is useful and the WG shall work on getting it
> published.
>         >
>         > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
>         > <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>         >>
>         >> Folks,
>         >>
>         >>
>         >>
>         >> This email begins a Call For Adoption on
> draft-wang-opsec-tls-proxy-bp.
>         >>
>         >>
>         >>
>         >> Please send comments to opsec@ietf.org by August 3, 2020.
>         >>
>         >>
>         >>
>         >>
>  Ron
>         >>
>         >>
>         >>
>         >>
>         >> Juniper Business Use Only
>         >>
>         >> _______________________________________________
>         >> OPSEC mailing list
>         >> OPSEC@ietf.org
>         >> https://www.ietf.org/mailman/listinfo/opsec
>         >
>         >
>         >
>         > --
>         > SY, Jen Linkova aka Furry
>         >
>         > _______________________________________________
>         > TLS mailing list
>         > TLS@ietf.org
>         > https://www.ietf.org/mailman/listinfo/tls
>         >
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>