Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Ted Lemon <mellon@fugue.com> Mon, 23 October 2017 16:35 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0CF138103 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 09:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8x-ifvrxjnK for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 09:35:22 -0700 (PDT)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58FD1137E0B for <tls@ietf.org>; Mon, 23 Oct 2017 09:35:22 -0700 (PDT)
Received: by mail-qt0-x233.google.com with SMTP id 1so26925215qtn.3 for <tls@ietf.org>; Mon, 23 Oct 2017 09:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=1u2URdMfp7jLuAbtUwRBvGHEg08rptEuYXZ/88unbHo=; b=gAgIAwXLMfO+yf+FwddLiRY3kkKEsJwYOecDzAtcKQ3dvyOB5VpV4wmg91XLNSKF63 VHZCE4dmzpLqDWQx3YWTwF1LFZQLWdbU75l9kG30zffapgpnM91fe/geHC/HQhv3avdH EcUiftc/5p4bBBvbhvShvuMTpxjJCuLV2TQQfvT1nfLaEKG3jBg8IEZhNxesgnyupNQy xsUJMXsT3RaXnXzzee4VUXjqynLBVovVXaeYuUltp/HzeOyA8N9+tFBjvF6Tc8R5vTmU WEPq0Q4uzmjVfcX+RKw2ec666mFFAS7xDn1ryCP82kI0aSCsWNuf8BSehnQ+/XGTueTC 7w6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=1u2URdMfp7jLuAbtUwRBvGHEg08rptEuYXZ/88unbHo=; b=nF6axoLI+hnjpfU1567qLxVc1BIysQPQkuX/Dujml675/Qjk5jb9x+2LRNCY8tPSk/ KhDMGDykDkpto2qfUaXoyM5n7JW23ybT523xBiybKzGVv4Jo60by08yujkx4XIyVQ1fp U7OLim8hUS5C0tsRbVbF08RHOFWkgbQ//lqOECdwto+WLBrfcJbpBigEKAC83q08hfaj yParWewT3Nd6flBnIfA54O2voW0izrIV1PkD47dEedCQu/jVIbkAn5yH8r1xfYXW/Mty 5mT2pXApO+ifffB1uAgiK2UtfY/gMYcomYCW9WeO0Kte0KqQK30ukjVVdNA9r3lj2Dmh iv3w==
X-Gm-Message-State: AMCzsaW43QO3ImzLpgs6rsEAcrSVkPh0vSXnARSPOhdWpyPdUGQTj3SV lQ5rgptKxveaWCAfFSCPsFsmDA==
X-Google-Smtp-Source: ABhQp+TzGJTQ6z14MJxwpMk1BCMe9B1xDFy9Vx3Su6IyerQClzBsFYdlzKym9n9LY9MfxPynGbfjVQ==
X-Received: by 10.237.56.200 with SMTP id k66mr19304306qte.70.1508776521448; Mon, 23 Oct 2017 09:35:21 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.ma.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id n76sm4840031qkn.85.2017.10.23.09.35.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Oct 2017 09:35:20 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <C4A07B57-FA73-41C4-88C3-C02833130699@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_746D2F90-9459-4D7F-BB74-60EEF1780E04"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 23 Oct 2017 12:35:19 -0400
In-Reply-To: <CY4PR14MB13680B6D5726D940C4C51B4BD7460@CY4PR14MB1368.namprd14.prod.outlook.com>
Cc: Steve Fenter <steven.fenter58@gmail.com>, "tls@ietf.org" <tls@ietf.org>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <31F5A73E-F37E-40D8-AA7D-8BB861692FED@akamai.com> <13592ABB-BA71-4DF9-BEE4-1E0C3ED50598@gmail.com> <2EE9CB23-AEDA-4155-BF24-EBC70CD302EF@fugue.com> <CY4PR14MB136816569A2AE2A9760C6E08D7410@CY4PR14MB1368.namprd14.prod.outlook.com> <557F43AC-A236-47BB-8C51-EDD37D09D5CB@fugue.com> <CY4PR14MB13684F18AD75F4AE767CE35CD7460@CY4PR14MB1368.namprd14.prod.outlook.com> <57CFBA2A-E878-47B0-8284-35369D4DA2DF@fugue.com> <CY4PR14MB13680B6D5726D940C4C51B4BD7460@CY4PR14MB1368.namprd14.prod.outlook.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-CWy31Dj5uNiy9w4dmGGhnrtH2s>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 16:35:24 -0000

On Oct 23, 2017, at 12:22 PM, Ackermann, Michael <MAckermann@bcbsm.com>; wrote:
> My question back to you was WHAT SIMPLIER PROTOCOL?  

This is what I actually wrote, in the message before the one Kathleen sent:

> What they require is visibility into contents of the flow that they are using encryption to protect.   Right now, the protocol they are using is TLS 1.1 or TLS 1.2.   The right thing for them to do if they continue to need this visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE, or some protocol that is designed for this use case, not to take a protocol designed specifically for securing flows from on-path eavesdropping and create a mode where it is easier to wiretap.