Rich, I think you're mixing things up a bit. There is no false comparison. I am not comparing draft-rhrd to the Wireshark option, they are fundamentally different. I'm comparing draft-rhrd to draft-green. The wireshark option requires storage of n keys to inspect n connections, both draft-rhrd and draft-green only require a single master key to inspect n connections.
The Wireshark option is always possible with TLS, it just has scaling issues. You export the session keys on a connection-by-connection basis from one of the endpoints and can then use them to decrypt the transcript after the fact. This is possible with TLS 1.2, TLS 1.3 and every version of TLS that uses symmetric keys for encryption. This keeps TLS a two-party protocol, and is my preferred solution to datacenter visibility, and I assume Stephen's as well. There have been arguments here that this is not a tenable solution in some environments, but I haven't found them convincing for the datacenter visibility case. The other two options, the master key options draft-rhrd and draft-green, turn TLS into a quasi three-party protocol. Server operators can just implement draft-green (or a variant thereof that doesn't repeat DH keys, but instead generates them deterministically) no matter what the IETF says. It's not prohibited by TLS 1.3 either structurally or by policy. If datacenter operators want a master key option and there is no standard to use, they can just implement draft-green and the client will have no idea this is happening. Your rejection of the cleartext signal expresses implies a preference for draft-green over draft-rhrd, not a preference for the wireshark option over draft-rhrd. Without draft-rhrd, it's likely that draft-green gets implemented whether it's standardized or not and no client will be able to opt out or even know that it's happening. In the situation where draft-green become the de facto standard for key escrow in TLS, the public debates around national firewalls trying to force clients to opt into wiretapping will become moot, firewalls won't have to block users who have the cleartext signal, they'll just force servers to implement draft-green unbeknownst to users. Users won't have any option, or any knowledge that servers are using a master key to protect the confidentiality of their connection and that their security may be lessened because of it (compared to a Wireshark-type system which is more difficult to implement at nation-scale due to how many keys you need to manage). Furthermore, researchers won't be able to measure the prevalence of this type of technology. With draft-green, civil society goes dark, with draft-rhrd, there will be public data to inform a public debate. Nick On Wed, Nov 1, 2017 at 7:19 AM Salz, Rich <rs...@akamai.com> wrote: > In https://www.ietf.org/mail-archive/web/tls/current/msg24789.html, Nick > Sullivan concluded: > > > > >- on the other hand using draft-rhrd is safer than allowing organizations > to hack single-key escrow into TLS 1.3 or continue to use TLS 1.2 with > non-forward-secret cipher suites > > > > I think this sets up a false comparison. Existing TLS 1.3 debugging > systems – Wireshark – can debug individual TLS sessions with the session > key information being made available. This is what the RHRD draft would > require an organization to do, but it adds the additional signaling that > the client is willing to allow it. The Wireshark example shows that the > signaling is not needed. Servers can unilaterally do it now. > > > > I maintain that the cleartext signal servers no useful purpose, except to > provide a mechanism for entities to segregate traffic. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
