Re: [TLS] Industry Concerns about TLS 1.3
Tony Arcieri <bascule@gmail.com> Thu, 29 September 2016 00:37 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8F0D12B01C for <tls@ietfa.amsl.com>; Wed, 28 Sep 2016 17:37:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avDoOTAzZJGb for <tls@ietfa.amsl.com>; Wed, 28 Sep 2016 17:37:06 -0700 (PDT)
Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AB2712B010 for <tls@ietf.org>; Wed, 28 Sep 2016 17:37:06 -0700 (PDT)
Received: by mail-vk0-x235.google.com with SMTP id y190so28886383vkd.3 for <tls@ietf.org>; Wed, 28 Sep 2016 17:37:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eBD9ECEwArMGOFP8l6sOvk/qrd7fOB8ZpcRf5AwAM1Y=; b=UFnMmbJ9xpZmjX98GFfKqA1yzuCse2VEJ3xRHrIlCAsc8rnnA2PZKWLk9ebHDMBmn5 EGDYgzM5PSTNDUSDE3g3unBqHXi7s3C2weDmVCMGcgvpy3yNEzNlWp/OvJrpJqk5ric5 x1syCT8eG4xR6uTcq2sdRA4qaUQ/sErXJJKP6+BmdgojTaNThQzCJ26BDtft2DGsaXoA lF6OEtZhgDEI8qYL2ZD5q+1z+3mwTjCZNxlsh+othNf4QhTgNhQwqO9sjKaywQp67sLV pfRKAgo/qqLhnQ6ZJz+rQAkVdvDiU6lFXzQPqTeXvP6eXSSyIb8F/Bniy/bAouUOctm0 5wzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eBD9ECEwArMGOFP8l6sOvk/qrd7fOB8ZpcRf5AwAM1Y=; b=b3qLTINeTvlbmydhMeq7Q9ygY9C3o7Yj1YnjG8MMS5U+bqcWXEF2kaEMcDykRQ3XK2 ZemmpCfOEQFMzXQ3IhSSFjshWC3cmHznAS2ovnLz6KOquCVN2pF09V+i9JuuGL+N7Pol EIiQcsuCkBzxS4/hmNLp78rej1gbPgnjc3HQluTzP8dON0Fv15hE9uSUNf5cpjVQQDT4 gxal/xzF6Oc8FcNKIT08whCvJiFu0pGUVvM6wTaJAIPK5MfcDIBnSy2bVyZzzMgJ9w6V JfAtNHznQ03s4ao01bGkjGPdlczRv391LDjrZCLib+LPfDQZyD9pUFteVY54fauVDuGM 8Liw==
X-Gm-Message-State: AA6/9RmZi6XLF1BgfKB8lTQ+VyXJBfq14G0/l/F2dOu1FMn1yQEyvjg14O1QDE10DsRSNwvD/mYjRlG0MuS4HA==
X-Received: by 10.31.69.81 with SMTP id s78mr1146761vka.47.1475109425673; Wed, 28 Sep 2016 17:37:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.153.195 with HTTP; Wed, 28 Sep 2016 17:36:44 -0700 (PDT)
In-Reply-To: <282ff05b-f013-7af8-2c44-64ee814323a9@nomountain.net>
References: <r470Ps-10116i-D1400872992D4A999C16CBD8D0E8C6D1@Williams-MacBook-Pro.local> <282ff05b-f013-7af8-2c44-64ee814323a9@nomountain.net>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 28 Sep 2016 17:36:44 -0700
Message-ID: <CAHOTMV+0wbMC6FKRQ4tAwKf1SoisKEf1hAsNqTH9gQGRha44Zg@mail.gmail.com>
To: Melinda Shore <melinda.shore@nomountain.net>
Content-Type: multipart/alternative; boundary="001a114dbe68527c4a053d9aadc9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3F8CEeA5U14N1V_mRzVHss-q25U>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2016 00:37:09 -0000
On Wed, Sep 28, 2016 at 4:27 PM, Melinda Shore <melinda.shore@nomountain.net > wrote: > We have poor participation and representation from > enterprise networks. So now we've got someone showing up from > the enterprise space and saying "I have this problem related to > protocol changes." And yeah, he's very, very late in this > process, although it's worth pointing out that it's in the best > tradition of the IETF to deal with technical problems that crop > up with documents at any point in their development. "BITS Security" is representing *some* companies in the payments space, namely these ones: http://fsroundtable.org/members/ Their concerns are not representative of "the enterprise", "the industry", "the payments space", etc. In fact some of the companies in the aforementioned link have personally contacted me to note they disagree with "BITS Security". Even among their cabal, their opinion is contentious. My personal opinion, as a security professional directly working on implementing TLS for a payments company, is their last-minute proposed changes would harm the security of our payments platform. I want to deploy TLS 1.3 in its current form. I also think the reasoning for their proposed changes is based on flawed premises. There are relevant industry groups BITS Security seems actually concerned with, such as the PCI Council. BITS Security should be voicing their concerns there, and the PCI Council should be working with the IETF to implement such changes if they're actually deemed necessary. I do not think this is a case of the IETF failing to understand "industry requirements". I strongly disagree the proposal represents "industry requirements" at all. I think they are trying to subvert the IETF process because they have inadequate security processes and they do not want to see their inadequate processes disturbed by security improvements to TLS. As a payments professional, my personal opinion is improving the security of TLS is *paramount*. The voiced concerns are not representative of "enterprise", "industry", or "payments" as a whole, but an last-minute opinion of companies who haven't been paying attention to the process who do not want to invest in upgrading their security practices. The IETF is doing great work. This entire thread is a distraction, and I hope it does not result in changes which weaken TLS 1.3's security. -- Tony Arcieri
- [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Yuhong Bao
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Paterson, Kenny
- Re: [TLS] Industry Concerns about TLS 1.3 Kyle Rose
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Dave Garrett
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 Yuhong Bao
- Re: [TLS] Industry Concerns about TLS 1.3 Andrei Popov
- Re: [TLS] Industry Concerns about TLS 1.3 Xiaoyin Liu
- Re: [TLS] Industry Concerns about TLS 1.3 Hugo Krawczyk
- Re: [TLS] Industry Concerns about TLS 1.3 Colm MacCárthaigh
- Re: [TLS] Industry Concerns about TLS 1.3 Hugo Krawczyk
- Re: [TLS] Industry Concerns about TLS 1.3 Ryan Carboni
- Re: [TLS] Industry Concerns about TLS 1.3 Colm MacCárthaigh
- Re: [TLS] Industry Concerns about TLS 1.3 Geoffrey Keating
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Thijs van Dijk
- Re: [TLS] Industry Concerns about TLS 1.3 Stephen Farrell
- [TLS] debugging tools [was: Industry Concerns abo… Nikos Mavrogiannopoulos
- Re: [TLS] debugging tools [was: Industry Concerns… Stephen Farrell
- Re: [TLS] debugging tools [was: Industry Concerns… Hubert Kario
- Re: [TLS] Industry Concerns about TLS 1.3 nalini.elkins
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Dan Brown
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 nalini.elkins
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Yaron Sheffer
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Ilari Liusvaara
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Xiaoyin Liu
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Stephen Farrell
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Adam Caudill
- Re: [TLS] Industry Concerns about TLS 1.3 Peter Bowen
- Re: [TLS] Industry Concerns about TLS 1.3 Bill Frantz
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Pawel Jakub Dawidek
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Ilari Liusvaara
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Brian Sniffen
- Re: [TLS] Industry Concerns about TLS 1.3 Ackermann, Michael
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Hovav Shacham
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Pascal Urien
- Re: [TLS] Industry Concerns about TLS 1.3 Salz, Rich
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Xiaoyin Liu
- Re: [TLS] Industry Concerns about TLS 1.3 Andrei Popov
- Re: [TLS] Industry Concerns about TLS 1.3 Geoffrey Keating
- Re: [TLS] Industry Concerns about TLS 1.3 Viktor Dukhovni
- Re: [TLS] Industry Concerns about TLS 1.3 Eric Rescorla
- Re: [TLS] Industry Concerns about TLS 1.3 Viktor Dukhovni
- Re: [TLS] Industry Concerns about TLS 1.3 Judson Wilson
- Re: [TLS] Industry Concerns about TLS 1.3 Peter Gutmann
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Seth David Schoen
- Re: [TLS] Industry Concerns about TLS 1.3 Ilari Liusvaara
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Michał Staruch
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Ronald del Rosario
- Re: [TLS] Industry Concerns about TLS 1.3 Seth David Schoen
- Re: [TLS] Industry Concerns about TLS 1.3 Stephen Farrell
- Re: [TLS] Industry Concerns about TLS 1.3 Hannes Tschofenig
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Joachim Strömbergson
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Martin Rex
- Re: [TLS] Industry Concerns about TLS 1.3 Dan Brown
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Yoav Nir
- Re: [TLS] Industry Concerns about TLS 1.3 Dan Brown
- Re: [TLS] Industry Concerns about TLS 1.3 Bill Frantz
- Re: [TLS] Industry Concerns about TLS 1.3 Melinda Shore
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Melinda Shore
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] Industry Concerns about TLS 1.3 Bill Frantz
- Re: [TLS] Industry Concerns about TLS 1.3 Ryan Carboni
- Re: [TLS] Industry Concerns about TLS 1.3 Hannes Tschofenig
- Re: [TLS] Industry Concerns about TLS 1.3 Hubert Kario
- Re: [TLS] Industry Concerns about TLS 1.3 Peter Gutmann
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Jeffrey Walton
- Re: [TLS] Industry Concerns about TLS 1.3 Watson Ladd
- Re: [TLS] Industry Concerns about TLS 1.3 Tony Arcieri
- Re: [TLS] debugging tools [was: Industry Concerns… Florian Weimer
- Re: [TLS] Industry Concerns about TLS 1.3 Florian Weimer
- Re: [TLS] Industry Concerns about TLS 1.3 BITS Security
- Re: [TLS] Industry Concerns about TLS 1.3 Sean Turner
- Re: [TLS] Industry Concerns about TLS 1.3 Ryan Carboni