Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 03 May 2020 05:26 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C17103A1517 for <uta@ietfa.amsl.com>; Sat, 2 May 2020 22:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdj4b91sHqMV for <uta@ietfa.amsl.com>; Sat, 2 May 2020 22:26:29 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 597553A1512 for <uta@ietf.org>; Sat, 2 May 2020 22:26:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1588483589; x=1620019589; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=5BezbwQu1GnCJPC3XGon/zCvVCqWDR0FDGl+wWkJzNc=; b=sZKGujqxOIjOCJ5YZZhe7x1VflF9+XeW/fblwAvmO5DrpUvNU1lLIaol +bBCvULp7el28Oaio1IuFD6b2pcOoab3D9/FPaUMksHH/NJbVQmajpThj kD1iuU8Qt8F/R9SKIMG4QRzZTObiyqrie2i/BMaa7FmF0bUD3lupyojrc dKcJN+uvOIJsRt5mij0lY0pTN9qAOGWo0GqyAWoCzxYVcJIVNzLJuchEf RPfK0T54pmSMWRVzMiUQc6jbzIKgUIluJrwo80gjZoa79K24gvxHIeJXL iQH6WPkRqGP7Wj7MqBHDW3i9yuep9QNUdz28M9twUX7+ocH/QQ9pcAeT4 Q==;
X-IronPort-AV: E=Sophos;i="5.73,346,1583146800"; d="scan'208";a="131931345"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.3 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-b.UoA.auckland.ac.nz) ([10.6.3.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 03 May 2020 17:26:26 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.3) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 3 May 2020 17:26:25 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Sun, 3 May 2020 17:26:25 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Eric Rescorla <ekr@rtfm.com>, Keith Moore <moore@network-heretics.com>
CC: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
Thread-Index: AdYbqruDrxIIwGBeQv2alJRE5Gx0tgDVSlkAACmLaIAAWTWCPQ==
Date: Sun, 03 May 2020 05:26:24 +0000
Message-ID: <1588483587138.67307@cs.auckland.ac.nz>
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com>, <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com>
In-Reply-To: <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/14L4SXp8ns5DR59GrjpHhp_J4Eo>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2020 05:26:31 -0000
Eric Rescorla <ekr@rtfm.com> writes: >if you are running a piece of hardware that cannot upgrade its TLS stack at >all, you quite likely have a number of serious unpatched vulnerabilities, and >should reconsider whether it is safe to have that hardware attached to the >Internet. Embedded non-upgradeable SCADA devices have some of the most secure TLS implementations I've ever seen: Some of the most difficult-to-attack TLS implementations that I've seen are in embedded devices that don't have the memory to run a full TLS implementation or to parse certificates. They understand one key agreement algorithm (Diffie-Hellman), one encryption algorithm (AES), and one hash/MAC algorithm (SHA-2), and nothing else. They don't know how to parse certificates, and laugh at TLS extensions. This means that they support over _three_hundred_ fewer cipher suites, fifty fewer key exchange parameter types, sixty fewer extensions, and 100% less certificates and certificate extensions and algorithms than any other implementation, and yet they still interoperate perfectly with all of the major browsers, to which they look like a standard TLS implementation. As a convenient side-effect of this, whenever any new attack on TLS comes out it bounces off these implementations because there's nothing there to attack. You can't exploit all of the infinite quirks in the protocol and its dozens of extensions, all of the corner cases, all of the gaps and holes and ambiguities that open up when different protocol features interact, because they're not present in the implementation. Even though these TLS implementations are typically created by embedded systems developers with little to no security experience, they're often more secure than ones written by security experts with years or decades of experience. Peter.
- [Uta] Adoption call for draft-sheffer-uta-rfc7525… Valery Smyslov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Stephen Farrell
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John R. Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… tom petch
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Alexey Melnikov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Ralph Holz
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Alexey Melnikov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Saint-Andre
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Alexey Melnikov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… tom petch
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Ralph Holz
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Sean Turner
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… ned+uta
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Saint-Andre
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Jeremy Harris
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Gutmann
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Gutmann
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… tom petch
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Valery Smyslov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Jim Fenton
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Saint-Andre
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Valery Smyslov