Re: [TLS] chairs - please shutdown wiretapping discussion...

On 12/07/17 21:01, Kathleen Moriarty wrote: > With no hat on... > > The difference with the WordPress & SMTP examples is that you know > content will sit in plaintext on the servers, whereas with POTS, you > need to wiretap to get the voice content. You only expect the log > that the call

Re: [TLS] chairs - please shutdown wiretapping discussion...

With no hat on... Sent from my iPhone > On Jul 12, 2017, at 6:18 PM, Stephen Farrell > wrote: > > > >> On 12/07/17 16:54, Kyle Rose wrote: >> On Wed, Jul 12, 2017 at 11:28 AM, Stephen Farrell >> wrote: >> >>> >>> On 12/07/17

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 12/07/17 16:54, Kyle Rose wrote: > On Wed, Jul 12, 2017 at 11:28 AM, Stephen Farrell > wrote: > >> >> >> On 12/07/17 16:27, Kyle Rose wrote: >>> The telco in the POTS case isn't either endpoint. The third-party >>> surveillance is unknown to those endpoints.

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Wed, Jul 12, 2017 at 11:28 AM, Stephen Farrell wrote: > > > On 12/07/17 16:27, Kyle Rose wrote: > > The telco in the POTS case isn't either endpoint. The third-party > > surveillance is unknown to those endpoints. Therefore: wiretapping. > > Same in the

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Wed, Jul 12, 2017 at 11:18 AM, Stephen Farrell wrote: > > If one endpoint is feeding > > cryptographic material to a third party (the only way that information > gets > > out to the third party, vulnerabilities notwithstanding), they are > > collaborating, not

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Wed, Jul 12, 2017 at 10:38 AM, Ted Lemon wrote: > On Jul 12, 2017, at 10:32 AM, Richard Barnes wrote: > > Oh, come on. You've never seen code in a library that implements > something that's not in an IETF RFC? > > > Of course I have. I think that putting a

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 12, 2017, at 10:35 AM, Kyle Rose wrote: > Which will have zero impact on pervasive surveillance until some government > decides they want to use this mechanism or something like it and mandates > that it be implemented universally within their borders. Then it will

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Wed, Jul 12, 2017 at 10:22 AM, Ted Lemon wrote: > On Jul 12, 2017, at 10:18 AM, Kyle Rose wrote: > > We need to dispel the myth that mere inaction on our part will on its own > prevent implementation of these mechanisms, if for no other reason but to >

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Wed, Jul 12, 2017 at 10:22 AM, Ted Lemon wrote: > On Jul 12, 2017, at 10:18 AM, Kyle Rose wrote: > > We need to dispel the myth that mere inaction on our part will on its own > prevent implementation of these mechanisms, if for no other reason but to >

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 12, 2017, at 10:18 AM, Kyle Rose wrote: > We need to dispel the myth that mere inaction on our part will on its own > prevent implementation of these mechanisms, if for no other reason but to > redirect energy to the political arena where the pervasive monitoring battles

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Wed, Jul 12, 2017 at 8:57 AM, Ted Lemon wrote: > The problem is that in modern times we can't assume that collaboration is > consensual, so the rules in RFC2804 aren't as applicable as they were. > Until someone comes up with a technical countermeasure for involuntary

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 12, 2017, at 8:24 AM, Kyle Rose wrote: > Much of this conversation seems to conflate wiretapping with collaboration. > 2804 has a clear definition of wiretapping: The problem is that in modern times we can't assume that collaboration is consensual, so the rules in

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Tue, Jul 11, 2017 at 9:11 AM, Ted Lemon wrote: > It’s also true that you can just exfiltrate every key as it’s generated, > but that’s not what’s being proposed and would not, I think, suit the needs > of the operators who are making this proposal. > > I don’t see how you

Re: [TLS] chairs - please shutdown wiretapping discussion...

I must admit that I mostly agree with Stephan that this kind of thing should not exist. However, it exists now, and the chairs have decided we should at least discuss it. I think there are many ways to meet the "requirements" of network monitoring and protocol debugging, and some are worse

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Tue, Jul 11, 2017 at 05:16:31PM -0400, Ted Lemon wrote: > On Jul 11, 2017, at 4:58 PM, Ted Lemon wrote: > > On Jul 11, 2017, at 4:31 PM, Stephen Farrell > > wrote: > >> I'd bet folks would invent proprietary > >>

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 11/07/17 23:09, Yoav Nir wrote: > Whether one party to a conversation (phone or IP) has the right to > share private contents with a third party is a legal matter that > varies from country to country and from state to state. I only claim > that this draft does not change the fact that is

Re: [TLS] chairs - please shutdown wiretapping discussion...

> On 12 Jul 2017, at 0:21, Stephen Farrell wrote: > > > > On 11/07/17 22:10, Yoav Nir wrote: >> If one of the parties to a conversation cooperates with the wiretap, >> this isn’t an attack. > Lemme try on this one again from a different angle. > > In classic

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 11/07/17 22:10, Yoav Nir wrote: > If one of the parties to a conversation cooperates with the wiretap, > this isn’t an attack. Lemme try on this one again from a different angle. In classic telephony wiretaps the carrier does the tap. There are similar situations with TLS... In hosted

Re: [TLS] chairs - please shutdown wiretapping discussion...

> On 11 Jul 2017, at 23:54, Christian Huitema wrote: > > On 7/11/2017 1:31 PM, Stephen Farrell wrote: > >> PS: There are also genuine performance reasons why the same >> DH public might be re-used in some cases, so there would be >> false positives in a survey to consider

Re: [TLS] chairs - please shutdown wiretapping discussion...

I’d rather not deal with this whole mess. -- Regards, Uri On 7/11/2017, 16:56, "TLS on behalf of Christian Huitema" wrote: On 7/11/2017 1:31 PM, Stephen Farrell wrote: > PS: There are also genuine performance reasons why the

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 7/11/2017 1:31 PM, Stephen Farrell wrote: > PS: There are also genuine performance reasons why the same > DH public might be re-used in some cases, so there would be > false positives in a survey to consider as well. Well, yes. The classic argument is performance. Saving the cost of

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 11/07/17 21:03, Ted Lemon wrote: > Ah, you mean the first time the attack happens in the wild. Well, the first time it's detected in the wild. > Sure, I > can see that, but that gains the attacker no real advantage over just > exfiltrating all the keys. I agree. I think one can

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 11, 2017, at 3:59 PM, Stephen Farrell wrote: > I can't see that happening. Once the first example.com > is called > out for using this, others will make their list longer or take > other approaches, e.g. use one exfiltrated private value as

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 11, 2017, at 3:40 PM, Stephen Farrell wrote: > It'd seem possible for a server to hold a rather long > list of re-used static DH values and unlikely for normal > clients to detect those. Bearing in mind that the current proposal is intended to perpetuate a

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 11/07/17 20:11, Christian Huitema wrote: > > For various reasons, some implementations may be tempted to use static > (EC) DH private key. Using such keys lowers the security guarantees of > TLS 1.3. Adversaries that get access to the static (EC) DH private key > can now get access to the

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 11/07/17 20:01, Michael StJohns wrote: > Basically, 2804 is woefully out of date with respect to the current > state of the world. As I said before I do think the authors of this draft should indeed have said that it needs to obsolete 2804 as that is required for them to get the standards

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 7/10/2017 3:38 PM, Stephen Farrell wrote: On 10/07/17 17:42, Colm MacCárthaigh wrote: It's clear that there is a strong distaste here for the kind of MITM being talked about It is not (only) "distaste," it is IETF policy as a result of a significant debate on wiretapping. It is a policy

Re: [TLS] chairs - please shutdown wiretapping discussion...

issues addressed. From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ted Lemon Sent: Tuesday, July 11, 2017 7:02 AM To: Stephen Farrell <stephen.farr...@cs.tcd.ie> Cc: Polk, Tim (Fed) <william.p...@nist.gov>; IETF TLS <tls@ietf.org> Subject: Re: [TLS] chairs - please shutdown wire

Re: [TLS] chairs - please shutdown wiretapping discussion...

What the draft actually says is that you can install a fixed key on the server rather than generating new keys every time, and then that fixed key can also be installed on monitoring software. This is, I believe, the actual intended use of the proposal. It’s also true that you can just

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 10, 2017, at 5:35 PM, Stephen Farrell wrote: > Consider SMTP/TLS. Where one MTA on the path supports this. > Say it's one operated by an anti-spam company for example. > That is clearly not the sender nor recipient. > > That meets all 4 points in 2804, right? I

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Jul 10, 2017 4:09 PM, "Eric Mill" wrote: On Mon, Jul 10, 2017 at 6:07 PM, Russ Housley wrote: > > >> So, I failed to convince you. However, you have also failed to > >> convince me that the proposal is wiretapping under the definition in > >> RFC

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Mon, Jul 10, 2017 at 3:37 PM, Stephen Farrell wrote: > > And if coercion of a server to comply with a wiretap > scheme like this stills fanciful to you, please check > out the history of lavabit - had there been a standard > wiretap API as envisaged here it's pretty

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Mon, Jul 10, 2017 at 6:07 PM, Russ Housley wrote: > > >> So, I failed to convince you. However, you have also failed to > >> convince me that the proposal is wiretapping under the definition in > >> RFC 2804, Section 3. > > > > Consider SMTP/TLS. Where one MTA on the

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 23:32, Russ Housley wrote: > Stephen: > > >> And to avoid a repeat of Russ' failed justification, many >> protocols use and depend on TLS where the entity >> controlling the TLS server private key materials is not the >> higher layer sender or receiver, so all

Re: [TLS] chairs - please shutdown wiretapping discussion...

Stephen: > And to avoid a repeat of Russ' failed justification, many protocols > use and depend on TLS where the entity controlling the TLS server > private key materials is not the higher layer sender or receiver, > so all four points in the definition in 2804 are fully met

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 23:07, Russ Housley wrote: > Stephen: > >>> And to avoid a repeat of Russ' failed justification, many protocols use and depend on TLS where the entity controlling the TLS server private key materials is not the higher layer sender or receiver, so all four points

Re: [TLS] chairs - please shutdown wiretapping discussion...

Stephen: >> >>> And to avoid a repeat of Russ' failed justification, many protocols >>> use and depend on TLS where the entity controlling the TLS server >>> private key materials is not the higher layer sender or receiver, >>> so all four points in the definition in 2804 are fully met by your

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 22:26, Russ Housley wrote: > Stephen: > >> And to avoid a repeat of Russ' failed justification, many protocols >> use and depend on TLS where the entity controlling the TLS server >> private key materials is not the higher layer sender or receiver, >> so all four points in the

Re: [TLS] chairs - please shutdown wiretapping discussion...

Stephen: > And to avoid a repeat of Russ' failed justification, many > protocols use and depend on TLS where the entity controlling > the TLS server private key materials is not the higher > layer sender or receiver, so all four points in the definition > in 2804 are fully met by your wiretapping

Re: [TLS] chairs - please shutdown wiretapping discussion...

> On Jul 10, 2017, at 15:29, Stephen Farrell wrote: > > You did not respond about the Prague agenda. I continue to ask that > you not give this bad idea more f2f time. If you do give it time, > then I'd ask for equal time to debunk this bad idea. But better to > have

Re: [TLS] chairs - please shutdown wiretapping discussion...

...@gmail.com] Sent: Monday, July 10, 2017 4:11 PM To: Ackermann, Michael <mackerm...@bcbsm.com> Cc: Polk, Tim (Fed) <william.p...@nist.gov>; tls@ietf.org Subject: Re: [TLS] chairs - please shutdown wiretapping discussion... On Jul 10, 2017 8:46 AM, "Ackermann, Michael"

Re: [TLS] chairs - please shutdown wiretapping discussion...

kerm...@bcbsm.com>; Polk, Tim (Fed) > <william.p...@nist.gov>; tls@ietf.org Subject: Re: [TLS] chairs - > please shutdown wiretapping discussion... > > > > On 10/07/17 16:30, Ackermann, Michael wrote: >> Given the above scenario, I do not understand how this can be

Re: [TLS] chairs - please shutdown wiretapping discussion...

] Sent: Monday, July 10, 2017 3:37 PM To: Ackermann, Michael <mackerm...@bcbsm.com>; Polk, Tim (Fed) <william.p...@nist.gov>; tls@ietf.org Subject: Re: [TLS] chairs - please shutdown wiretapping discussion... On 10/07/17 16:30, Ackermann, Michael wrote: > Given the above

Re: [TLS] chairs - please shutdown wiretapping discussion...

going nowhere from eating up all the bandwidth. *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Polk, Tim (Fed) *Sent:* Monday, July 10, 2017 9:54 AM *To:* tls@ietf.org *Subject:* Re: [TLS] chairs - please shutdown wiretapping discussion... First, I do not see this as a “wiretappin

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Mon, Jul 10, 2017 at 08:29:26PM +0100, Stephen Farrell wrote: > On 10/07/17 17:57, Sean Turner wrote: > > After some discussion amongst the chairs, we have decided to not shut > > down the discussion about draft-green-tls-static-dh-in-tls13. > > Ok, that's your call. But a bad call IMO. IMO

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 17:42, Colm MacCárthaigh wrote: > It's clear that there is a strong distaste here for the kind of MITM being > talked about It is not (only) "distaste," it is IETF policy as a result of a significant debate on wiretapping. S signature.asc Description: OpenPGP digital signature

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 16:30, Ackermann, Michael wrote: > Given the above scenario, I do not understand how this can be construed as > "Wiretapping".2804 seems to make this clear. TLS is much more widely used that you seem to imagine. Please see the comments to the effect that there is no way to

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 20:07, Blumenthal, Uri - 0553 - MITLL wrote: > My $0.02: absolutely not on the Standards Track (for reasons already > expressed by others), might be discussable if Informational. I haven't checked, but as far as I recall, other wiretapping RFCs inconsistent with 2804 have all been

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 10/07/17 17:57, Sean Turner wrote: > Stephen, > > After some discussion amongst the chairs, we have decided to not shut > down the discussion about draft-green-tls-static-dh-in-tls13. Ok, that's your call. But a bad call IMO. This topic, if not the specific draft, was already the subject

Re: [TLS] chairs - please shutdown wiretapping discussion...

My $0.02: absolutely not on the Standards Track (for reasons already expressed by others), might be discussable if Informational. -- Regards, Uri Blumenthal On 7/10/17, 15:03, "TLS on behalf of Nico Williams" wrote: On Mon, Jul 10,

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Mon, Jul 10, 2017 at 08:01:32PM +0300, Yoav Nir wrote: > > On 10 Jul 2017, at 17:16, Stephen Farrell wrote: > >> 2. this proposal offers > >> significantly better security properties than current practice > >> (central distribution of static RSA keys) > > > > I

Re: [TLS] chairs - please shutdown wiretapping discussion...

> On 10 Jul 2017, at 17:16, Stephen Farrell wrote: > > >> 2. this proposal offers >> significantly better security properties than current practice >> (central distribution of static RSA keys) > > I fail to see any relevant difference in security properties >

Re: [TLS] chairs - please shutdown wiretapping discussion...

Stephen, After some discussion amongst the chairs, we have decided to not shut down the discussion about draft-green-tls-static-dh-in-tls13. We are not shutting down this discussion because this topic is relevant to the constituents on both sides of the issue in the working group and there is

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Mon, Jul 10, 2017 at 8:14 AM, Nikos Mavrogiannopoulos wrote: > Certainly, but that doesn't need to happen on this working group, nor > protocols which implement similar solutions need to be called TLS. > I'll belabor this point: rather than thinking about what these

Re: [TLS] chairs - please shutdown wiretapping discussion...

ent: Monday, July 10, 2017 9:54 AM To: tls@ietf.org Subject: Re: [TLS] chairs - please shutdown wiretapping discussion... First, I do not see this as a "wiretapping discussion" based on my reading of 2804, although others may disagree. Second, I believe that this discussion should go fo

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Mon, 2017-07-10 at 13:54 +, Polk, Tim (Fed) wrote: > First, I do not see this as a “wiretapping discussion” based on my > reading of 2804, although others may disagree. >   > Second, I believe that this discussion should go forward based on > several points: > this proposal does not involve

Re: [TLS] chairs - please shutdown wiretapping discussion...

Hiya, While we're waiting on Sean/Joe... :-) On 10/07/17 14:54, Polk, Tim (Fed) wrote: > First, I do not see this as a “wiretapping discussion” based on my > reading of 2804, although others may disagree. s/may/do/ Figure 3 in the draft is absolutely clearly describing an architecture for

Re: [TLS] chairs - please shutdown wiretapping discussion...

First, I do not see this as a “wiretapping discussion” based on my reading of 2804, although others may disagree. Second, I believe that this discussion should go forward based on several points: 1. this proposal does not involve any changes to the bits on the wire specified in the TLS 1.3

Re: [TLS] chairs - please shutdown wiretapping discussion...

Message received. Expect a response in a couple of hours. spt > On Jul 8, 2017, at 05:17, Stephen Farrell wrote: > > > Sean/Joe, > > This is a request that you, as chairs, shut down the distracting > wiretapping discussion, at least until DTLS1.3 is done. > > I

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 09/07/17 07:23, Colm MacCárthaigh wrote: > Dismissing concerns with trivial and shallow analysis can serve to diminish > the success of TLS1.3, because the users don't need to adopt it, and can > end up blocking it and creating a failure of "TLS 1.3 doesn't work in XXX > environments". Over

Re: [TLS] chairs - please shutdown wiretapping discussion...

Farrell Sent: Saturday, July 8, 2017 5:17 AM To: tls chair Cc: tls@ietf.org Subject: [TLS] chairs - please shutdown wiretapping discussion... Sean/Joe, This is a request that you, as chairs, shut down the distracting wiretapping discussion, at least until DTLS1.3 is done. I have planned to spend time

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Sat, Jul 8, 2017 at 6:04 PM, Eric Mill wrote: > > Stating that proxies are not viable for enterprise organizations due to > the scale and complexity of their network environments is subjective, > generally not well-detailed, and much more open to skepticism. > > The burden

Re: [TLS] chairs - please shutdown wiretapping discussion...

tephen Farrell > Sent: Saturday, July 8, 2017 10:33 > To: Yaron Sheffer <yaronf.i...@gmail.com>; tls chair < > tls-cha...@tools.ietf.org> > Cc: tls@ietf.org > Subject: Re: [TLS] chairs - please shutdown wiretapping discussion... > > > > On 08/07/17 15:27, Yar

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Sat, Jul 8, 2017 at 11:17 AM Russ Housley wrote: > I want to highlight that draft-green-tls-static-dh-in-tls13-01 does not > enable MitM. The server does not share the signing private key, so no > other party can perform a valid handshake. > This method allows a

Re: [TLS] chairs - please shutdown wiretapping discussion...

Tony: I want to highlight that draft-green-tls-static-dh-in-tls13-01 does not enable MitM. The server does not share the signing private key, so no other party can perform a valid handshake. Further, the server is choosing to use a (EC)DH key that was generated by the key manager, so it is

Re: [TLS] chairs - please shutdown wiretapping discussion...

> On 8 Jul 2017, at 18:39, Tony Arcieri wrote: > > I was one of the people arguing my hardest against the BITS Security proposal > to continue to (ab)use RSA static keys to allow passive MitM, even though TLS > 1.3 had already moved forward on what I would call a more

Re: [TLS] chairs - please shutdown wiretapping discussion...

asing security. > > Consequently, we would ask that this discussion not be shut down as > you request. > > Paul > > -Original Message- From: TLS [mailto:tls-boun...@ietf.org] On > Behalf Of Stephen Farrell Sent: Saturday, July 8, 2017 10:33 To: > Yaron Sheffer <yar

Re: [TLS] chairs - please shutdown wiretapping discussion...

On Sat, Jul 8, 2017 at 8:44 AM, Stephen Farrell wrote: > On 08/07/17 16:39, Tony Arcieri wrote: > > Clearly there are echoes of the scary protocols of yesteryear, i.e. > > Clipper/LEAP. I think if you visit Matt Green's Twitter page and check > the > > image header you

Re: [TLS] chairs - please shutdown wiretapping discussion...

On 08/07/17 16:39, Tony Arcieri wrote: > Clearly there are echoes of the scary protocols of yesteryear, i.e. > Clipper/LEAP. I think if you visit Matt Green's Twitter page and check the > image header you will discover he is quite familiar with these things, and > my personal presumption would

Re: [TLS] chairs - please shutdown wiretapping discussion...

I was one of the people arguing my hardest against the BITS Security proposal to continue to (ab)use RSA static keys to allow passive MitM, even though TLS 1.3 had already moved forward on what I would call a more modern protocol design of the sort I believe payments companies should embrace to

Re: [TLS] chairs - please shutdown wiretapping discussion...

yaronf.i...@gmail.com>; tls chair <tls-cha...@tools.ietf.org> Cc: tls@ietf.org Subject: Re: [TLS] chairs - please shutdown wiretapping discussion... On 08/07/17 15:27, Yaron Sheffer wrote: > Hi Stephen, > > Like you, I am very unhappy with this draft, and would not support its

Re: [TLS] chairs - please shutdown wiretapping discussion...

Hi Stephen, Like you, I am very unhappy with this draft, and would not support its adoption as a WG draft. However I think that open discussion is in general good, and that the best venue for discussion of this draft is this mailing list. Even if some of this discussion devolves into generic

[TLS] chairs - please shutdown wiretapping discussion...

Sean/Joe, This is a request that you, as chairs, shut down the distracting wiretapping discussion, at least until DTLS1.3 is done. I have planned to spend time reading draft 21 and DTLS, but that won't happen if we keep having to fight off the latest attempts to break TLS. I'd not be surprised