IETF Logo Mail Archive

Re: [TLS] chairs - please shutdown wiretapping discussion...

"Ackermann, Michael" <MAckermann@bcbsm.com> Mon, 10 July 2017 15:46 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45FCC129AD1 for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 08:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.091
X-Spam-Level:
X-Spam-Status: No, score=-4.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6BzRptgjf1B for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 08:46:30 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B11F612785F for <tls@ietf.org>; Mon, 10 Jul 2017 08:46:30 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id D2AB9C161F for <tls@ietf.org>; Mon, 10 Jul 2017 10:46:29 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id 5122EC1615; Mon, 10 Jul 2017 10:46:29 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0AB1892085; Mon, 10 Jul 2017 11:46:29 -0400 (EDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B1A64920B6; Mon, 10 Jul 2017 11:31:10 -0400 (EDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (unknown [207.46.163.82]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Mon, 10 Jul 2017 11:31:10 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lD6MnwKMbfC0o5FJk6cBP/cSmk9v526KfU4k79dbpdY=; b=nq47OlRUgf6q+fRpo+JrInr3zlMtdrkFQBVS74vPHJLLDMlm6ryM5PjAqmMj7Fs3JO5zFEbPW+d945hSqcF2vhLEzlzj17HjhbUzurkXWApklNCAFfqAtVNSRei7AqYVRK84UOZgAhlniAFkz4wJ8Te05XvJT8zQHrkmZHoeUSA=
Received: from CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) by CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.13; Mon, 10 Jul 2017 15:31:09 +0000
Received: from CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) by CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) with mapi id 15.01.1240.020; Mon, 10 Jul 2017 15:31:09 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: "Polk, Tim (Fed)" <william.polk@nist.gov>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] chairs - please shutdown wiretapping discussion...
Thread-Index: AQHS+YQI7m7fVGNOTUGFuL/08f/fM6JNIUiQ
Date: Mon, 10 Jul 2017 15:30:48 +0000
Deferred-Delivery: Mon, 10 Jul 2017 15:30:00 +0000
Message-ID: <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov>
In-Reply-To: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: nist.gov; dkim=none (message not signed) header.d=none;nist.gov; dmarc=none action=none header.from=bcbsm.com;
x-originating-ip: [165.225.39.61]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1368; 20:n1tq2RkO+lKrCx5WMJEoh05WWma+gKImEys7c/zedjRNlI9eFtxqEkx6E54WRSVnn3hXtBJ+IISIrV3VYO8LoL3yTLBSS0krrAdM8k+Rb9/D32+baaNdqDP2Iqc34pV6U0JoUp4ngVUBYa0KILzKOzYWm16fXFLXLqPftp9KJbA=
x-ms-office365-filtering-correlation-id: 134a3e88-bf3d-4686-255e-08d4c7a8b084
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR14MB1368;
x-ms-traffictypediagnostic: CY4PR14MB1368:
x-microsoft-antispam-prvs: <CY4PR14MB1368BC1F78DF9006E62B1F0AD7A90@CY4PR14MB1368.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(151999592597050)(278178393323532)(278428928389397)(72170088055959)(26388249023172)(236129657087228)(192374486261705)(148574349560750)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(2017060910075)(10201501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(6041248)(20161123560025)(20161123558100)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1368; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1368;
x-forefront-prvs: 03648EFF89
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39400400002)(39450400003)(39410400002)(377454003)(189998001)(2950100002)(33656002)(6506006)(25786009)(81166006)(8936002)(2900100001)(77096006)(3846002)(3280700002)(6116002)(102836003)(86362001)(478600001)(72206003)(3660700001)(8676002)(6666003)(790700001)(38730400002)(14454004)(54896002)(74316002)(9686003)(53936002)(76176999)(54356999)(50986999)(6246003)(229853002)(55016002)(5660300001)(6436002)(99286003)(53546010)(2501003)(561944003)(80792005)(7696004)(8656002)(2906002)(66066001)(6306002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1368; H:CY4PR14MB1368.namprd14.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB13688370E0544C9B84BB52A3D7A90CY4PR14MB1368namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2017 15:31:09.4384 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1368
X-TM-AS-GCONF: 00
X-VPM-MSG-ID: b1ec9b9e-2d0d-44f2-8e32-7278a0180bfb
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: 881697d4-ac1c-474d-9633-77c3a49fa07a
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1qrBm0ekbxx_KXvqo6HI4GVrvRw>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 15:46:33 -0000

+1 !!!

And
For the enterprise situations,  we typically own, operate and manage the involved "Facilities":
The Servers
The Applications
The Networks
The Keys
The Data
and in Many cases the clients as well

Given the above scenario,  I do not understand how this can be construed as "Wiretapping".    2804 seems to make this clear.

What Enterprises want in this space, is the ability to continue to have access to their aforementioned facilities,  to perform diagnostics, monitoring and security functions.   (i.e. continue to effectively operate and manage our networks).  Although I believe the Matt Green draft proposes a very good, viable and well thought out solution for TLS 1.3,  I suspect most of us are open to different or better solutions,  if such exists or can be conceived.
There seems to be good discussion, requirements and ideas on both sides of this issue,  albeit in sharp disagreement in many cases.      Such critical colloquy,  with significant long term impact,  should not be prematurely terminated,  IMHO.


Finally an editorial comment from those of us TRYING to get Enterprises involved at IETF.   We finally have some interest and engagement from Enterprise perspectives.     Killing discussion on this issue,  which is clearly important to Enterprises, will send the message that IETF did not really want this input or feedback.      I hope this is not the case.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Polk, Tim (Fed)
Sent: Monday, July 10, 2017 9:54 AM
To: tls@ietf.org
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...

First, I do not see this as a "wiretapping discussion" based on my reading of 2804, although others may disagree.

Second, I believe that this discussion should go forward based on several points:

  1.  this proposal does not involve any changes to the bits on the wire specified in the TLS 1.3 document
  2.  this proposal offers significantly better security properties than current practice (central distribution of static RSA keys)
  3.  alternative solutions with significantly worse security properties are also feasible under TLS 1.3, and I would like to avoid them!

We should be in the business of developing pragmatic, interoperable solutions with appropriate security properties.  Balancing cryptographic security with other security requirements to achieve such solutions should be an acceptable path, and pursuing this work in the TLS working group gives the IETF the best opportunity to influence these solutions.





The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.

v2.23.0 | Report a Bug | By Email