Bill, I agree that we need to find the "least bad" option, if for no other reason than to prove there is no acceptable solution. If I may, I'd like to suggest another possible way to get to "least bad".
Perhaps our goal should not be to prevent servers collaborating with the monitoring, which we can't actually do anyway, but rather to ensure both sides to know when this is happening. This will give clients the opportunity to decide whether or not to allow it. A few people have started down this path on this thread. One can imagine a few ways to approach this (these are examples to get people thinking and admittedly aren't fully baked, so be nice ;-) ) 1. Define a new ciphersuite(s) explicitly for this purpose. Call it TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256_MON(itor) or whatever. This would make it obvious what's happening and the client can choose to enable or disable such cipher suites. Browser/OS vendors might let users/admins enable these cipher suites for local network connections and disable them for connections to the wider internet. 2. Include something in the server's certificate (a new X509 extension or the static ECDH key perhaps?) as a signal to the client that the server is enabling monitoring. Again, this can be allowed for connections within an organization but potentially blocked for connections to external networks. 3. Use a 3-party handshake. As I recall, there are three party versions of RSA and DH (Joux, 2000) and at least progress on making 3-party ECDH work based on Ben Lynn's work. (I haven't checked to see what the latest status on this is.) This probably becomes an extension and possibly some newly defined cipher suites as well. There may be any number of other solutions, this isn't meant to be an exhaustive list, just get people thinking. Because this request is so specialized (monitoring inside an enterprise), it seems reasonable to me that the solution can be non-generalizable to the internet at large. In fact, that's probably a desired trait. Therefore, the use of custom ciphersuites, extensions or the like may be viable, since both ends of the connection are ostensibly under the control of the enterprise. (I'm sure BITS et al will speak up if they disagree.) Cheers, Tim -- Tim Jackson Senior Product Security Architect ________________________________ From: "Bill Frantz" <fra...@pwpconsult.com<mailto:fra...@pwpconsult.com>> Date: Tuesday, July 11, 2017 at 5:43:03 PM To: "tls@ietf.org" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] chairs - please shutdown wiretapping discussion... I must admit that I mostly agree with Stephan that this kind of thing should not exist. However, it exists now, and the chairs have decided we should at least discuss it. I think there are many ways to meet the "requirements" of network monitoring and protocol debugging, and some are worse than others. Leading the world in the direction of the least damaging ones seems to be the bese way to deal with a bad situation. The major threats I see include: Coerced use by oppressive governments. Use outside the immediate private network Use by an ISP on its customers Use without both ends being aware that it is in use. I think coerced use is by oppressive governments is an obvious bad and I hope I have working group agreement on this point. Limiting the protocol to the immediate private network will prevent 3rd parties from activating it to spy on the enterprise. One possible way to enforce this limitation is to require compliant implementations to limit broadcast of decryption information to the IP addresses on the local subnet. I would be nice to be able to keep an ISP from spying on its customers as part of its "private network". However, I don't see how to differentiate an ISP's network from a enterprise network. If it is not technically possible to use the protocol without both ends being aware that it is in use, then user interfaces can reflect its use. One result would be that enterprise users would be continually warned that their messages aren't private. Any technical fixes we build into the protocol that prevent these actions are a positive improvement. Cheers - Bill --------------------------------------------------------------------------- Bill Frantz | If you want total security, go to prison. There you're 408-356-8506 | fed, clothed, given medical care and so on. The only www.pwpconsult.com<http://www.pwpconsult.com> | thing lacking is freedom. - Dwight D. Eisenhower _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
