IETF Logo Mail Archive

Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

tom petch <daedulus@btconnect.com> Mon, 04 May 2020 10:59 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40603A058F for <uta@ietfa.amsl.com>; Mon, 4 May 2020 03:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAkbmbaCn_DO for <uta@ietfa.amsl.com>; Mon, 4 May 2020 03:59:26 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80093.outbound.protection.outlook.com [40.107.8.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E2563A053F for <uta@ietf.org>; Mon, 4 May 2020 03:59:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qrtgv3WeVC6PVI+9Wou7n4kfM7iU4RZfOGp58+tKf+hUNscp/sXmSzDgpCIBDWdjLdrxvAmxPVuW3SgNjXuhyBHXISge+9SpbDhjSZtUQ/KRpxscCp6oG82ZSe+qvSrdVx75B+0LUXsbxramz3rwesoTv23eUiVebx+GVlfl2CZsYmZsNYc+GeMAryj8Y0QYmmNDRRBqVhKEfKdltEg9uCTd4iHDob+ysWw1JaAVb0rzIpbFKC0eeZaxc3ugz5xs9V7CRHudUeYo3QyUpvXSTzhYbwGStUNvjyRA88yqB9IRs5MDnQeefo7LPuflrLBmOyFOF2XKSy6ox8JvncBARg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M+yRdUJuN+ahIOvV7g+XPDLgk9UY3WgzD9dNFnkHBJw=; b=dus0/+g4HlV8kPtqqC+H0KtrOm10aV5+3V6z9EvvGdJe5N+VCMJ+84q8IdBiVX76JKP2v4fP6l4gyyKPDUIS5qnDrLguVF+b9DzeTrp19PpgnNTaFYxzyRrFrTvOGUZB/oXKSX7KYVwuSPhQFZyZVQ55VU6wTPae1HFHDkZLc5s0F18gRrT5We+Mxhu1Qr4vHhW8XwoZ2CGyFPzw9IfQ3+s88hb81FOZIXeI2Q8ciU6+33WmlNyE2JKG2f/99ftixyIuc/VHXZaMjIKCKXtm3LMc0txwJEq6ZCd9F2cRqBd2lzyyoN73nXMOlRKiXTH/dNd4MoySFpL+w1TlvC5wRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M+yRdUJuN+ahIOvV7g+XPDLgk9UY3WgzD9dNFnkHBJw=; b=mZbRAFzoQTI7gjJBoo15eIO8kcbQ53qRKVcadTOszL/1UwgWrf76QS8w5pDGeo5HSJwzNuF8g8m81LO+27Z1xa8QjecmYyvWraRyBwXxXP0TBMNZRbZIg3LCIuz1ruACzIhKJJpkpzdn16W+fBJMzdSRiBuxf1L6/FqjoU6bWUk=
Authentication-Results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR0701MB2480.eurprd07.prod.outlook.com (2603:10a6:800:63::16) by VI1PR0701MB2336.eurprd07.prod.outlook.com (2603:10a6:800:6b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.20; Mon, 4 May 2020 10:59:24 +0000
Received: from VI1PR0701MB2480.eurprd07.prod.outlook.com ([fe80::5d8c:61fc:f193:d487]) by VI1PR0701MB2480.eurprd07.prod.outlook.com ([fe80::5d8c:61fc:f193:d487%8]) with mapi id 15.20.2979.024; Mon, 4 May 2020 10:59:23 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <1UW7qWO4vA.17rUXhBMkf8@pc8xp> <CAEKAoHTJ4S5Wfkb4KB+ZWQN7JO_Q-DXDcEz5pqd7MPMhyj_CDQ@mail.gmail.com> <1UW7rcJSVn.1ewl1Eq5e3S@pc8xp> <CABcZeBMPRDsJ9rbffk2K76HQk9f3c=dZKCPy+0y12YHQ+-9+AA@mail.gmail.com>
Date: Mon, 04 May 2020 11:59:14 +0100
Message-ID: <1UW9CaTYGG.2cwcof6jEuv@pc8xp>
In-Reply-To: <CABcZeBMPRDsJ9rbffk2K76HQk9f3c=dZKCPy+0y12YHQ+-9+AA@mail.gmail.com>
From: tom petch <daedulus@btconnect.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Ralph Holz <ralph.holz@gmail.com>, "uta@ietf.org" <uta@ietf.org>
User-Agent: OEClassic/3.0 (WinXP.2600; F; 2019-11-28)
X-ClientProxiedBy: LO2P265CA0391.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:f::19) To VI1PR0701MB2480.eurprd07.prod.outlook.com (2603:10a6:800:63::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from pc8xp (81.131.229.19) by LO2P265CA0391.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.27 via Frontend Transport; Mon, 4 May 2020 10:59:23 +0000
X-Originating-IP: [81.131.229.19]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 352b39b9-9e7e-4752-b2a5-08d7f01a3471
X-MS-TrafficTypeDiagnostic: VI1PR0701MB2336:
X-Microsoft-Antispam-PRVS: <VI1PR0701MB2336499545227F2634B47713C6A60@VI1PR0701MB2336.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-Forefront-PRVS: 03932714EB
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wCIH/M1Bs8qQn0UBldf4ghvRnv/YvknF6v3o9iYkz2Cyl6mocjMn16nVf6ibrsAUVVm423eaZ5NWKj04zyXYLkgYp3+lYKOWiD8DmteIrp36XmrvVPXaf8mbIfDTSJaj3+cH4nURyIaB//hlRkKskBQCdr4+Axv5pg8csoBtvMpSWOEYRdGVvqi2CHTb+n9OEIzDnOdtIExJpasuFH3/feoUwCSwVZkRj38H5okExq2cF8tEjJwJOrEe3ljBMSDDoGL68sGyyqCM87dSfJ4L09yUQD/xZHrAx9WiTtQBVuQDChv+ocy0w0QLONHWo5YqV4IabAiq2g/PDQ9KIBBYwCa9r1s7NJjtZh9T0cHaVN0YMWLaw8FTF4ncYYWFB8Ws+Jo4/VrU6Y4k+dQBtAAnHMQI7v9Cj17HCl/NPWOlRNq32SAsQqZSqFbrUiLQWqJpEp/KffJMr3OE1hZjWqNYu9+OQzGHMVjI33jfx6sM9iiSH1H/fu5zrSvdop+ep14a/pn3hUdGsXqfQOnporxjUg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR0701MB2480.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(346002)(366004)(136003)(376002)(396003)(39860400002)(186003)(66476007)(66946007)(16526019)(66556008)(6916009)(26005)(956004)(45080400002)(478600001)(966005)(9576002)(33716001)(55016002)(9686003)(66574012)(6666004)(86362001)(316002)(54906003)(2906002)(4326008)(8676002)(6496006)(52230400001)(8936002)(52116002)(5660300002)(53546011); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: K5w+karvobWyi5h2lOl5ZJfJIS3ulF0bmpLQzBgQW2mfisf9Mu5/Ehd+bQnXt3qnt07bhJcKXsKBfMgZtG2j61TLZsryzqHMqW56rZW/hZUgX/HxuhqyrkkHEjMoNCqHQRybWagb7evLMNRjfe22WG3KEIe8PD3p0U6Q//fnY9/qEjQ1kOL4yJGCjPbEocBWYP2lxrmaigCAJkXqoc+4kniPdDIvbGkkqGdvR+r7CHp9SyPGCeNQ7OHAjt8xYunJv5Xv7oMQptm0LS31R2LqiyS+WLGRQOcxrVkPZSMDdZRowrtKlCG0MWqgOl/M8X+yzeRKXkt/xDbT+FoDeLBHbKSa48A5bR1ciWzYUYDapmLMMFqGeHBSQxD4utKeInkT4Qz4BmkQVtKmhxjUYlUzBDpcNeLVfcUH8KZRvuh+XCDEUF/j4JCK6E6d8ssKmMUPYWG8Y75hob36MraiXtZ30AnUUWwUTpi+5kjkGk9aXI4KsCoT83vpNcxjCdAiQ09bTzY7FJK4vxyrqJ+B5wWQ+pyiKsx4yedL9wbvA46GeqpbJE90gzyHfMZ73sXeEaMyd+BBL8IUXRHwRrkCl5ZtgJ0fZJvdaMA2254YjTut8fRbbhRZCPnh9nhmAVwVWAPu3zLLHOF383RtCdcUSqjxGWPNj4r3CVjyY+kuAjU3qxIKZK+kS49hwuZvpmBIoUo2pK3EdCuU0GYZXU4UnvDwMEvj2IqjYRg8yhvirCVQXrURwAPDmM33NR8OXZbf3i1JdJV1rzSJxJJDtyhwbLrjprGEB04r6Y6nPJusvY1ZmYc=
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 352b39b9-9e7e-4752-b2a5-08d7f01a3471
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2020 10:59:23.7936 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: X4MIpVoKfMBmCXM3p0dzwPyw5cHgxfHkCzrFbcGjOE+DDoYBUwddlNZ5XLe6zZCbGVNZSQZ1N/LxxqTU3HmGCA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2336
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/5LLMyVIwCQFrArv7v45uinXx4nA>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 10:59:29 -0000

<inline>
----- Original Message -----
From: Eric Rescorla ekr@rtfm.com
Sent: 01/05/2020 22:45:35


On Tue, Apr 28, 2020 at 1:41 AM tom petch <daedulus@btconnect.com> wrote:

One requirement that was raised in the later stages of the work on TLS 1.3 related to audit, and was raised, I think, by representatives of the finance industry; the WG rejected the requirement. 


It's worth noting that to the extent that this is a requirement, it is already violated by any installation which is compliant with RFC 7525. The auditing techniques in question depend un using static RSA cipher suites, but 7525 https://tools.ietf.org/rfcmarkup?doc=7525#section-4.1 *already* prohibits those at the SHOULD level and requires forward that forward secure cipher suites be implemented and preferred at the MUST level:


   o  Implementations SHOULD NOT negotiate cipher suites based on RSA
      key transport, a.k.a. "static RSA".

      Rationale: These cipher suites, which have assigned values
      starting with the string "TLS_RSA_WITH_*", have several drawbacks,
      especially the fact that they do not support forward secrecy.

   o  Implementations MUST support and prefer to negotiate cipher suites
      offering forward secrecy, such as those in the Ephemeral Diffie-
      Hellman and Elliptic Curve Ephemeral Diffie-Hellman ("DHE" and
      "ECDHE") families.

      Rationale: Forward secrecy (sometimes called "perfect forward
      secrecy") prevents the recovery of information that was encrypted
      with older session keys, thus limiting the amount of time during
      which attacks can be successful.  See Section 6.3 for a detailed
      discussion.

<tp>
Yes and it is a SHOULD not a MUST.  If audit cannot take place, then it is easier for bad actors to use the technology be they pursuant of fraud, terrorism or whatever.  I think that concerns about the bad behaviour that the Internet facilitates is growing and we may get pushback on the IETF at large.  I see TLS 1.3 as emphasising privacy at a time when the world at large is waking up to the abuses that that enables.

As others have said, beyond adding a 'bis' this I-D seems devoid of anything new and so, to me, seems too risky to adopt.  It is a blank slate.

---
New Outlook Express and Windows Live Mail replacement - get it here:
https://www.oeclassic.com/

Tom Petch


Since then, I have seen suggestions on the TLS and other lists, and in the press, about the development of alternative protocols to meet the requirements that TLS 1.3 does not. 


Yes, I'm aware of at least one of those efforts (eTLS), however so far it seems to have only minimal adoption. At least in the Web environment, I am unaware of any browser or server which is interested in implementing it.


-Ekr

v2.23.0 | Report a Bug | By Email