[TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks

David Benjamin <davidben@chromium.org> Tue, 23 July 2024 18:33 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89BDC14F610 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2024 11:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.403
X-Spam-Level:
X-Spam-Status: No, score=-9.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-fztmMCW9Ca for <tls@ietfa.amsl.com>; Tue, 23 Jul 2024 11:33:29 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9465C14F5E9 for <tls@ietf.org>; Tue, 23 Jul 2024 11:33:29 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-e05ecb3dbf6so5669452276.0 for <tls@ietf.org>; Tue, 23 Jul 2024 11:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1721759609; x=1722364409; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=INUTyOP4bDGuKVqq2ec1r1OLQV05XRE0oHyNfzusIQk=; b=exNdfQMqBjoM4dnglxQFQkB6Plqrd4+8/yqbAeKolCeZor1gS8iIOot96LXZ0VmiJV XQfkB+3XOvM6q9hbrN0ANpm+OP509Cqn2QhZFg8Bf3ygLOwWLS3zzhlbo1gTf1nJ9jIU Pkck7bHbzyzIdUyd9u3nPTxXSh100LcJ8aBy4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721759609; x=1722364409; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=INUTyOP4bDGuKVqq2ec1r1OLQV05XRE0oHyNfzusIQk=; b=bEHmx5C8v7Qa9YOyjdVnd0wevRtcr+RYAnBz+agWHaVSaLtXuSipIeABkPGW3f7t4X et9vwVCqKwWVA20ZDiiU9Xnb249yiZgjCN5F4qqYv+mmSIygvtL0SS1UPJuJVb+45di1 gqJpjmFSgUqDYMoqd+6p1oggcl05jox1vDNmwqqcaktfEhc7ehm9L0r3gxa1gTBM0zCg HP0SGJfolfIx8r5y28nq6EWs8lANt3UIXBTq2AafbIZ1IbHSZNBIJ6nXnO9YXK50Mgyo 7DItEuFgQlxcluWt1wbEhwpz4gHojtqS+chvtICnD96LBVz/RQqs9xBT+5kl2FD0tOTq D3Qw==
X-Forwarded-Encrypted: i=1; AJvYcCX+Z1xeMR9Uvrv0Ln7boLyzAdL4w9WUAUvLD79+Fd5QkO12LGbdOPNw8R5+LGUPm2/DluVAdLKU48qw3+0=
X-Gm-Message-State: AOJu0YxHkQveVqGEIC3WxGBS5hDUx+ncEQ0Auqrifh7ACezbXNBLGQPK 8hmk3Xq2P6KKy0CNZnqwLe1BAKpqkpbRsPVHS/kWyAKtGtZ1Tcin28OXIllXXPSzQ6WAqV30g1A ZNpFMYkub39vYrdLXA6ELe/DeB9z+QyPncZbLSWDDmm/Jl8myM5I=
X-Google-Smtp-Source: AGHT+IH6MCk5fPuR8TYG1M9eQ98Q5ZxRNIUelsT6+SY4DKBi0r5n2hfW+a9xkXbdBB8PQ97bhUE459jItFXrxs4TqLA=
X-Received: by 2002:a05:6902:1504:b0:e03:4666:6a5a with SMTP id 3f1490d57ef6-e08706a4d3emr12168047276.39.1721759608596; Tue, 23 Jul 2024 11:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cmhsh-zeJOaa7xy_2crxgvhAF=nK9FqWxxf1dB2SMhMyQ@mail.gmail.com> <Zpu0reBpH3dtFYdf@LK-Perkele-VII2.locald> <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com> <CAF8qwaB3VuWSYTi-gH99+N_cgi1ZAdMpzhrSE4=KTD5xbQMwXA@mail.gmail.com> <CADQzZqtyCQwQR2WPrBdqGGUm_tvZ7Akra5z9vqJ30x9vWBtxew@mail.gmail.com> <CAF8qwaDt-vhUb-E48874QLKe-YOc3xzC4VsArzYf_BGREz0+QQ@mail.gmail.com> <CADQzZqvw0Phv1oa--C6HSZJpKkG899v36g-xXrwyiKpM8cyYJw@mail.gmail.com> <254e0d54-7438-4666-8a0b-1ddf431e65d4@dennis-jackson.uk> <CADQzZqupwoqLbJNEU4RgA+G983_a34g-MmHsJN=XZygjLtDUkw@mail.gmail.com> <5f23bc91-b0a4-4ba4-add8-e920ca9c7784@dennis-jackson.uk> <Zp6y2ImjHI1R0oy6@LK-Perkele-VII2.locald> <5a942952-09e1-4aab-b321-cb05ea9c9528@dennis-jackson.uk> <A4DA0C3B-5ED3-4A2B-8CAE-B0B1ED862F29@akamai.com> <d751b4c1-fef2-4bf8-a6a6-46d4801c8aef@dennis-jackson.uk> <B55CD6CF-8962-4FF9-9849-5A321976FB2D@akamai.com> <d43b40bd-e2b9-494c-ad8f-d8438247e61f@dennis-jackson.uk> <B449D030-EAD8-4467-8920-68DB4BCBA680@akamai.com> <CACsn0cmL8w=tXrQV6k98iaLMtC_srQccnoGKp-S9ggSARwfqZQ@mail.gmail.com>
In-Reply-To: <CACsn0cmL8w=tXrQV6k98iaLMtC_srQccnoGKp-S9ggSARwfqZQ@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 23 Jul 2024 11:33:10 -0700
Message-ID: <CAF8qwaBZTAs70yjs=kt3B_C+8VLw+oK8ukMux_GY-mfoWL9g8Q@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000dc537f061dee6528"
Message-ID-Hash: PRVDTLHNROCVRR5LUBMR4HIC5N25LZOE
X-Message-ID-Hash: PRVDTLHNROCVRR5LUBMR4HIC5N25LZOE
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zOI1vl0MSbjlVrbvAchMhNtheu4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, Jul 23, 2024 at 11:10 AM Watson Ladd <watsonbladd@gmail.com> wrote:

> On Tue, Jul 23, 2024, 11:04 AM Salz, Rich <rsalz=
> 40akamai.com@dmarc.ietf.org> wrote:
>
>> I don't think its possible to go one API / method at a time. If we want
>> to turn on a feature by default, it has to either be non-backwards
>> compatible or not break any existing API.
>>
>> I think I agree with you, or at least as far as saying that we really
>> need to hear from implementors as to the feasibility of doing this in a
>> backward-compatible and generic (not just browser/WebPKI) way.
>>
>
> Applications that don't support aren't worse off because other
> applications can use a newer PKI with fewer problems.
>

Right, incremental deployment is still valuable. Every client that is
removed from the fallback case is one less client that constrains the
fallback's intersection, and one more client that can evolve unburdened.
We've tried to be clear on this from the beginning, and haven't ever
claimed to be targeting 100% automatic client deployment. Very few things
done by this WG depend on or target that.

Of course, making things easier to deploy is always welcome. As with any
other work we do in this WG, that's often very dependent on the very
specific implementation details and what layer of the stack one works at.
ECH, at the level of most TLS libraries, required quite a few caller
changes. At the level of HTTPS libraries, however, it can plausibly be done
automatically. There's also a wide range of deployment ease, ranging from
your TLS library doing it automatically, to needing to opt-in to avoid a
couple API interactions specific to one implementation, to callers needing
to make a couple simple decisions, to callers needing to make some very
complex decisions.

Indeed part of why we've presented the second draft is that they represent
very different deployment tradeoffs. And even within a broad solution
direction, there are a lot of decisions that impact this. For example,
client ease of use for draft-beck-tls-trust-anchor-ids will change
dramatically depending on whether we use a separate connection (a la ECH)
or a retry in the handshake (a la HRR, though we might not want it to be
*exactly* HRR, we'll see). We wrote up the former just because it was a
simpler representative of the overall idea.

This all sounds like an excellent topic to continue discussing through
post-adoption. As with other IETF work at this stage, our goal here isn't
to present a complete solution, but to present a problem to solve, and some
starting points for the WG to build on.

David