Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

"Ackermann, Michael" <MAckermann@bcbsm.com> Sun, 22 October 2017 23:17 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C89513BEA4 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 16:17:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVcgHpggl7Ei for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 16:16:57 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D35A13BEA1 for <tls@ietf.org>; Sun, 22 Oct 2017 16:16:56 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 55A8F1C060B for <tls@ietf.org>; Sun, 22 Oct 2017 18:16:56 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id 7B4441C0605; Sun, 22 Oct 2017 18:16:55 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 41D6E92057; Sun, 22 Oct 2017 19:16:55 -0400 (EDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E70C592053; Sun, 22 Oct 2017 19:16:54 -0400 (EDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (unknown [207.46.163.82]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Sun, 22 Oct 2017 19:16:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mQyTpjuhEBYdnzHtBBluA4P2ZaWUeBdNN5UhLt8iwYI=; b=nd9zQHd/wjuA9BrL2mAGhJJkIpSUkEbXyS+kDUo3Ug/FBZgVzhhTzvHf7D/9krzfxzEEaUfljUmbLSSnze+WtYPxWblIU9p24G8kwJRG1ST6bX0UhqoSpwFUmZSADqMNGsifuepre5cEBFKsO7fzLw9RQmc8+nK2wZaIsgQSs08=
Received: from CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) by CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Sun, 22 Oct 2017 23:16:53 +0000
Received: from CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) by CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) with mapi id 15.20.0077.022; Sun, 22 Oct 2017 23:16:52 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Ted Lemon <mellon@fugue.com>, Steve Fenter <steven.fenter58@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
Thread-Index: AQHTO710HVvcnaInjUunozwwxCXv1qLp+S4AgAFTKoCAAAWPgIAAANmAgAABFgCAAAA7gIAAAPWAgAADKICAAALZAIAABTaAgAACs4CAAAEIAIAABEYAgAAZuoCAAAV4gIAAVLoAgAD/VwCAABsIAIAADvYAgAAFHmCAAAbigIADZUkAgAAIFICAAB86QA==
Date: Sun, 22 Oct 2017 23:16:52 +0000
Message-ID: <CY4PR14MB136816569A2AE2A9760C6E08D7410@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <31F5A73E-F37E-40D8-AA7D-8BB861692FED@akamai.com> <13592ABB-BA71-4DF9-BEE4-1E0C3ED50598@gmail.com> <2EE9CB23-AEDA-4155-BF24-EBC70CD302EF@fugue.com>
In-Reply-To: <2EE9CB23-AEDA-4155-BF24-EBC70CD302EF@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [165.225.39.54]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1368; 20:hzNawdUCIVwL45rJcFWMziX64i3YdKQjyXHOGTIAOXU47s8M/xdlyzipqycsfGk2mlAQ+4bl3KCASFZdnQjfOpRc6TX+U4/0LxjpmabD6IXg+ykStYs7sXHe1uhk13LAW7DosDUSmG01GEUvFq/JzohcNdxmTlcCDe4sdQsDt6I=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 63cd1b5f-be6d-42e0-0ec7-08d519a2fb06
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:CY4PR14MB1368;
x-ms-traffictypediagnostic: CY4PR14MB1368:
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR14MB1368A7D4F24933DE003A0715D7410@CY4PR14MB1368.namprd14.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3231020)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123560025)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1368; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1368;
x-forefront-prvs: 0468FE4A2B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39830400002)(346002)(376002)(24454002)(189002)(199003)(790700001)(81166006)(80792005)(5660300001)(8936002)(110136005)(81156014)(14454004)(6246003)(3846002)(99286003)(236005)(316002)(102836003)(68736007)(6436002)(8676002)(66066001)(25786009)(55016002)(6116002)(54356999)(7736002)(7696004)(3280700002)(2906002)(101416001)(53936002)(86362001)(53546010)(74316002)(97736004)(50986999)(6506006)(230783001)(39060400002)(106356001)(54896002)(9686003)(105586002)(2950100002)(2900100001)(189998001)(93886005)(19609705001)(76176999)(4326008)(33656002)(72206003)(229853002)(478600001)(77096006)(6306002)(3660700001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1368; H:CY4PR14MB1368.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB136816569A2AE2A9760C6E08D7410CY4PR14MB1368namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2017 23:16:52.8574 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1368
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: 85ec0586-31ab-47d0-b88d-a1b0b5ebbd6f
X-VPM-MSG-ID: 594036f7-23e5-42d7-ac89-42e4f3996b33
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/17k3a92BY9kkVphjP4Ws2Tb9t5I>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 23:17:01 -0000

I am willing to bet that his point was not at all that Enterprises could switch quickly,  as you say in your response.
We do not do ANYTHING quickly.

I believe his point was that because we do not move quickly,  we need to prepare as much in advance as possible, and assure that the base protocols we know we will be using in the future,  do not put us in the position of having to do things that are generally not possible,  such as make significant application or protocol changes.

And out of curiosity,  what is the simpler protocol you are recommending?    I say out of curiosity because switching to a whole different protocol is not likely to be feasible from any perspective for large enterprises and the complex, multi-tier protocols that are prevalent.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Ted Lemon
Sent: Sunday, October 22, 2017 5:18 PM
To: Steve Fenter <steven.fenter58@gmail.com>;
Cc: tls@ietf.org
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

On Oct 22, 2017, at 4:48 PM, Steve Fenter <steven.fenter58@gmail.com<mailto:steven.fenter58@gmail.com>> wrote:
The main problem with not addressing the TLS visibility issue now is that no one knows when a vulnerability will be discovered in TLS 1.2 that forces enterprises to upgrade to TLS 1.3. We've had guarantees that TLS 1.2 and the RSA key exchange are going to be fine for 5 to 10 years, but nobody knows that, particularly in today's security environment.

Implicit in this assertion is the claim that these organizations could switch quickly to TLS 1.3, but in fact we know that it's been very difficult for them to make the switch from 1.1 to 1.2, and in many cases they haven't done it.   So this isn't really at all persuasive.   But even if it were persuasive, it still wouldn't be a good argument.  TLS is a complicated protocol that does far more than is required for the use case we are talking about.   It would be better to use a simpler protocol with a smaller attack surface.

So why not get started on that now, instead of trying to weaken TLS 1.3?



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.