As co-author I support adoption of the draft and appreciate the feedback. The authors agreed at the time that the OPSEC WG charter would better match our intention of documenting the BCP for TLS proxies given that the TLS WG charter places more of an emphasis on the TLS protocol. Having said that, we do also agree that the TLS WG should be involved. The recommendation from the TLS WG chairs was to continue in OPSEC and to cc the TLS WG.
--Roelof > On Jul 27, 2020, at 9:30 AM, Ben Schwartz > <bemasc=40google....@dmarc.ietf.org> wrote: > > I'm concerned about this work happening outside the TLS working group. For > example, the question of proper handling of TLS extensions is not addressed > at all in this draft, and has significant security and functionality > implications. There are various other tricky protocol issues (e.g. version > negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start, > round-trip deadlock when buffers fill, ticket (non-)reuse, client certificate > linkability pre-TLS-1.3, implications of SAN scope of synthesized > certificates) that could arise and are going to be difficult to get right in > any other WG. > > The title "TLS Proxy Best Practice" implies that it is possible to proxy TLS > correctly, and that this document is the main source for how to do it. I > think the TLS WG is the right place to make those judgments.. For the OpSec > group, I think a more appropriate draft would be something like "TLS > Interception Pitfalls", documenting the operational experience on failure > modes of TLS interception. > > On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) > <ncamwing=40cisco....@dmarc.ietf.org <mailto:40cisco....@dmarc.ietf.org>> > wrote: > The document is not imposing any standards but rather provide guidelines for > those implementing TLS proxies; given that proxies will continue to exist > I'm not sure why there is a belief that the IETF should ignore this. > > Warm regards, Nancy > > On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" > <opsec-boun...@ietf.org <mailto:opsec-boun...@ietf.org> on behalf of > u...@ll.mit.edu <mailto:u...@ll.mit.edu>> wrote: > > I support Stephen and oppose adoption. IMHO, this is not a technology > that IETF should standardize. > > > On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" > <tls-boun...@ietf.org <mailto:tls-boun...@ietf.org> on behalf of > stephen.farr...@cs.tcd.ie <mailto:stephen.farr...@cs.tcd.ie>> wrote: > > > I oppose adoption. While there could be some minor benefit > in documenting the uses and abuses seen when mitm'ing tls, > I doubt that the effort to ensure a balanced document is at > all worthwhile. The current draft is too far from what it'd > need to be to be adopted. > > Send to ISE. > > S. > > On 23/07/2020 02:30, Jen Linkova wrote: > > One thing to add here: the chairs would like to hear active and > > explicit support of the adoption. So please speak up if you believe > > the draft is useful and the WG shall work on getting it published. > > > > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica > > <rbonica=40juniper....@dmarc.ietf.org > <mailto:40juniper....@dmarc.ietf.org>> wrote: > >> > >> Folks, > >> > >> > >> > >> This email begins a Call For Adoption on > draft-wang-opsec-tls-proxy-bp. > >> > >> > >> > >> Please send comments to op...@ietf.org <mailto:op...@ietf.org> by > August 3, 2020. > >> > >> > >> > >> Ron > >> > >> > >> > >> > >> Juniper Business Use Only > >> > >> _______________________________________________ > >> OPSEC mailing list > >> op...@ietf.org <mailto:op...@ietf.org> > >> https://www.ietf.org/mailman/listinfo/opsec > <https://www.ietf.org/mailman/listinfo/opsec> > > > > > > > > -- > > SY, Jen Linkova aka Furry > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org <mailto:TLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
