Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

I'm concerned about this work happening outside the TLS working group.  For
example, the question of proper handling of TLS extensions is not addressed
at all in this draft, and has significant security and functionality
implications.  There are various other tricky protocol issues (e.g. version
negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start,
round-trip deadlock when buffers fill, ticket (non-)reuse, client
certificate linkability pre-TLS-1.3, implications of SAN scope of
synthesized certificates) that could arise and are going to be difficult to
get right in any other WG.

The title "TLS Proxy Best Practice" implies that it is possible to proxy
TLS correctly, and that this document is the main source for how to do it.
I think the TLS WG is the right place to make those judgments.  For the
OpSec group, I think a more appropriate draft would be something like "TLS
Interception Pitfalls", documenting the operational experience on failure
modes of TLS interception.

On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=
40cisco.com@dmarc.ietf.org> wrote:

> The document is not imposing any standards but rather provide guidelines
> for those implementing TLS proxies;  given that proxies will continue to
> exist I'm not sure why there is a belief that the IETF should ignore this.
>
> Warm regards, Nancy
>
> On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" <
> opsec-bounces@ietf.org on behalf of uri@ll.mit.edu> wrote:
>
>     I support Stephen and oppose adoption. IMHO, this is not a technology
> that IETF should standardize.
>
>
>     On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <
> tls-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>
>
>         I oppose adoption. While there could be some minor benefit
>         in documenting the uses and abuses seen when mitm'ing tls,
>         I doubt that the effort to ensure a balanced document is at
>         all worthwhile. The current draft is too far from what it'd
>         need to be to be adopted.
>
>         Send to ISE.
>
>         S.
>
>         On 23/07/2020 02:30, Jen Linkova wrote:
>         > One thing to add here: the chairs would like to hear active and
>         > explicit support of the adoption. So please speak up if you
> believe
>         > the draft is useful and the WG shall work on getting it
> published.
>         >
>         > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
>         > <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>         >>
>         >> Folks,
>         >>
>         >>
>         >>
>         >> This email begins a Call For Adoption on
> draft-wang-opsec-tls-proxy-bp.
>         >>
>         >>
>         >>
>         >> Please send comments to opsec@ietf.org by August 3, 2020.
>         >>
>         >>
>         >>
>         >>
>  Ron
>         >>
>         >>
>         >>
>         >>
>         >> Juniper Business Use Only
>         >>
>         >> _______________________________________________
>         >> OPSEC mailing list
>         >> OPSEC@ietf.org
>         >> https://www.ietf.org/mailman/listinfo/opsec
>         >
>         >
>         >
>         > --
>         > SY, Jen Linkova aka Furry
>         >
>         > _______________________________________________
>         > TLS mailing list
>         > TLS@ietf.org
>         > https://www.ietf.org/mailman/listinfo/tls
>         >
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Attachment: smime.p7s