Without taking a position on whether this group should take on this work, a couple of questions about alternative approaches (sorry if these have been answered before):
1. It seems like the requirement here is that the DH private key be *predictable* by the monitoring box based on some static configuration. That is, it seems like you could have keys that are predictable to the monitoring device, but still vary over time, something like setting the private key from a KDF(SecretSharedWithMonitoringDevice, ServerRandom). Without having done much analysis, this seems more conservative than making things entirely static. Is there a reason to prefer the purely static approach besides simplicity? 2. You could avoid changing how the DH works altogether by simply exporting the DH private key, encrypted with a key shared with the monitoring device, in a server extension. (Not in EncryptedExtensions, obviously.) This would also have the benefit of explicitly signaling when such monitoring is in use. The only real challenge here is that the client would have to offer the extension in order for the server to be able to send it, which I expect things like browsers would be unlikely to do. However, given that the target of this draft seems to be intra-data-center TLS, perhaps this is a workable requirement? Thanks, --Richard On Fri, Jul 7, 2017 at 3:02 AM, Matthew Green <matthewdgr...@gmail.com> wrote: > The need for enterprise datacenters to access TLS 1.3 plaintext for > security and operational requirements has been under discussion since > shortly before the Seoul IETF meeting. This draft provides current thinking > about the way to facilitate plain text access based on the use of static > (EC)DH keys on the servers. These keys have a lifetime; they get replaced > on a regular schedule. A key manager in the datacenter generates and > distributes these keys. The Asymmetric Key Package [RFC5958] format is > used to transfer and load the keys wherever they are authorized for use. > > We have asked for a few minutes to talk about this draft in the TLS WG > session at the upcoming Prague IETF. Please take a look so we can have a > productive discussion. Of course, we're eager to start that discussion on > the mail list in advance of the meeting. > > The draft can be found here: > > https://tools.ietf.org/html/draft-green-tls-static-dh-in-tls13-01 > > Thanks for your attention, > Matt, Ralph, Paul, Steve, and Russ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
