TLS is a two endpoint protocol. It looks like many of the use cases
describe problems with more than two endpoints but are using TLS because
it is commonly available. So should TLS be extended to be an n-party
protocol (or is this always considered wiretapping?) or should be there
another protocol or something else?
Regards,
Roland
Am 15.07.2017 um 19:34 schrieb Colm MacCárthaigh:
On Fri, Jul 14, 2017 at 11:12 PM, Daniel Kahn Gillmor
<d...@fifthhorseman.net <mailto:d...@fifthhorseman.net>> wrote:
* This proposed TLS variant is *never* acceptable for use on the
public
Internet. At most it's acceptable only between two endpoints
within
a datacenter under a single zone of administrative control.
* Forward secrecy is in general a valuable property for encrypted
communications in transit.
If there's anyone on the list who disagrees with the above two
statements, please speak up!
I agree with the second statement, but I don't really follow the logic
of the first. On the public internet, it's increasingly common for
traffic to be MITMd in the form of a CDN. Many commenters here have
also responded "Just use proxies". I don't get how that's better.
A proxy sees all of the plaintext, not just selected amounts. All of
the same coercion and compromise risks apply to a proxy too, but since
it undetectably sees everything, that would seem objectively worse
from a security/privacy risk POV.
Or put another way: if these organizations need to occasionally
inspect plaintext, would I prefer that it's the kind of system where
they have to go pull a key from a store, and decrypt specific
ciphertexts on demand offline, or do I want them recording plaintext
*all* of the time inline? It seems utterly bizarre that we would
collectively favor the latter. We end up recommending the kinds of
systems that are an attacker's dream.
Here's what I'd prefer:
* Don't allow static DH. In fact, forbid it, and recommend that
clients check for changing DH params.
* For the pcap-folks, define an extension that exports the session
key or PMS, encrypted under another key. Make this part of the
post-handshake transcript.
* pcap-folks can do what they want, but clients will know and can
issue security warnings if they desire. Forbiding static DH enforces
this mechanism, and we can collectively land in a better place than we
are today.
--
Colm
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
