IETF Logo Mail Archive

Re: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3

John Mattsson <john.mattsson@ericsson.com> Tue, 16 May 2023 13:58 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8F6C151081 for <tls@ietfa.amsl.com>; Tue, 16 May 2023 06:58:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoV8UL_GPDz4 for <tls@ietfa.amsl.com>; Tue, 16 May 2023 06:58:03 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on20628.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe13::628]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D5BCC15108E for <tls@ietf.org>; Tue, 16 May 2023 06:56:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P4Y/MbtwjXET2sgHLedQJmik2dhcr59fKxiwC1/R7CfgIpVH+rmfMRZpafhPZQPWZFncPQ8OhHxOo7FUFQdTQq+ZCqtGgjY7XPNcRdSKP6gL1NyxXXSiQbNCx/wLob8HbjjqPPKtuJWRinRkvnkuO1j3qamPc8zpTBPTktjgY4FZt1PKQMxreTzO5tgUBt39vC+OP9jgjN8msAvEUYY4g5vwJwOoN8q0TutuKoX5+acQ/trXDpSRYIHnvfj8LaxN92R/WPtQXecsJSClgw1mZroQUvkHvpNXc0RBVioTQUh98gyFYwFreauUujuawzKjMZVfK58tuvSCtYVnsGm/3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=96pBefJfx/EAjxBOmEyhgEm2OaTUAabzR1qDStstn0s=; b=JG/RV/afp3mocZWHKGhI+HMrD0DTcVeuAHH3yqEnDz+zRxLgn1nf580DteYNFuA4RXUGg+eD6ApeoWNmaRIVhI5cwGB8Jfl4tht9grWJlSq2dpykxcjZmXAaaSeY5MR/z88fgx1AxKf4JGZeyqBPoHnGkf05rAUV/5+xF21PkoT6Z1Iev+T7b5oxFG/SprkFAwA+OHsHeMVmySByt2NWwzcG3s0C8Qd74uwwm5i+Ly+mQAJR5m6If56vkFXwLM1GkgeAKepjNdbIRv34wujDvBVzLnkKQ53YgTCidmw1QkIDlG6JIMMaIcoPIbW7FKfXbl+ZURnKiP796M18dAhjcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=96pBefJfx/EAjxBOmEyhgEm2OaTUAabzR1qDStstn0s=; b=WwjRTCav79aiQKttNzLNR6hr19JbZwVi5AcLzFyGZ92VFoBrpMxhoZeK2nHPE/vkFogBRCMzpCg7C+yfc7m4dktHSbRwxwSnegfO9/bEduOM8AMB14UuFkzmJHe8iXodZ+1GTjZ8+LI9m5YdhgDITSb2tojfP00D10Y6Clqg4b8=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS4PR07MB8532.eurprd07.prod.outlook.com (2603:10a6:20b:4eb::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.30; Tue, 16 May 2023 13:56:22 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%7]) with mapi id 15.20.6387.030; Tue, 16 May 2023 13:56:22 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3
Thread-Index: AQHZh+gkgLa7BUkUwE2qbU9oMQ3IhK9c6kO8
Date: Tue, 16 May 2023 13:56:22 +0000
Message-ID: <GVXPR07MB9678B1AEF81759EFE014B6D689799@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <497567B2-AB42-436E-9BE5-95CCA121E62A@akamai.com>
In-Reply-To: <497567B2-AB42-436E-9BE5-95CCA121E62A@akamai.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS4PR07MB8532:EE_
x-ms-office365-filtering-correlation-id: b0139b92-b3b9-44a1-f5b8-08db561554fb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4DWs/qbOyl8sAANwoPgMfkOcN6FC8c9QxLVMFSjuIzlTo7aDTBU4y1i3TxOUpEc3zgMCXKx2CK8s+e2WtS1e9uJmBpko3LPQtiQteELdpBTSgo8QMZ0R84RQm5wOh++WGxcQSj0eeWOujkMyTRwpaj2D7GTYDGKGa/JaP1idZ7IbAnrNu+3AblWmY+RrjdqmbqLGDZNGwVizV/7QG1NB16RtkdJV/5dG8fShiT409vHMnsSIJ51BuVI61bx//6Lsd6wvUxaazdNHNJIwRJJirDzROfNL9ak9yfwA7G9tnrD7JNimJYgouwvnhFxA5ApfKJZPMW+HfVW6NXuqSlMcbpPpkP1psG71gHje5Y7/9WP1PCREeSGEvCS6JUgWK+zCuMvRvnXNfnuDJLQBbNkkgjPm9yRzSwDZJLnjgI6ioSa1r++9ObxxDK8fnbV05kiI4D8RfZ/sG1u3HEkAHPKxyiW868DCuWdF2qx5zLO/28U6erg+4oYe6jtCWrqZci9iNsgsFftECwKx/7aTDSgkWZGE6u2HxWTcuyqAgVnBfMVtiEfKDw/f+b9efPhNVcNSOETlcuKXl6LKmvtsFLbDHmUZuCUKalukNFmEV44E/66a+oDySdfeSjhjtSU3OAWV1JWYyPWpCP1etEf1a8SoKg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(39860400002)(346002)(366004)(136003)(376002)(451199021)(66556008)(66476007)(110136005)(66446008)(64756008)(478600001)(66946007)(76116006)(71200400001)(966005)(316002)(7696005)(8676002)(8936002)(41300700001)(44832011)(2906002)(55016003)(52536014)(5660300002)(26005)(82960400001)(33656002)(122000001)(86362001)(38070700005)(166002)(83380400001)(186003)(53546011)(6506007)(38100700002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ojDivGe0xWzlHA3R0ebomX20wqiONi1Wfs/gDNg6BSgbjxMte01k8WheDsFbHE7KBZgxLHwXP7SNoUsiXzLkGHx55u6I5honJIsIfLznfL+g1IfFz7T01nM7Z03+tka4DA8Wl/P1VLvhim0ijJc6vY4y8H7x1GI1xeoXe8I18Z9QgWSrKe1iBmIY/HIcUB2cgDKkP9EnzxuwVLl/nGxq0kXyFQ4Qh/5rgZaaPfp81Mu2xMpKvc4D+PhRvuBIWVPKf5+e8nkNcBJsuX5XcPM0OKGEYx8vr8b6j4Rxth1lhLNFVWh24D/GRJLLPWD3h3WgFmHHRlVuQSRVtIrfFsd1BvnlnQW8FSBYqJlXi2cMdvnEAX/kPe5SuWFNed58jy0Z7dxQr/ta0dZ0EQJrsWBgU+NSN1+tflhzEAAqdyHYI6LK8RDtqb/7vxoqKyvk09JT5cRLW0gDzTP0OIoKbTk4MDWmDij/iz6VDH+OYvynmUF61kFN3CpSpSt3HeMEUn5dzA8z83aI99A028oDoS0Je4/vIGJdrX+6xgsQoDR+8pu7COVlycnaU2SoJfn2peZ0f64PyRw8j40Tv+koHa7cV7SZQ+k1XSqkifhkHydzARJKcYJui/a85vhvsFgpCTdMauRMP3QB8DynNGo/1YbmZ/TE6n1rjyD/lL3GU/OEwjuZoRqimX3wKmESNFDJ+7ckMZ9raJco7X6wHVUpEbNicdteLdCWLCCcZn8xIXAhkOL+90Qgb7Yb0HKVhus/v+44avqa+Srzla/mibXSE6ClVs+7Al5BnQ4XfKsea5JEfIV8BshYkkE2TUMnL1rr/rl+Ubc1UZ/b6jvIS78cy0CXaTJpEv9MixCdQdc3Wx5X0mGw0nbe/Kg79rXncsX6URWJMXizp6PXi9sHXs4fYVK/eyJMxvGTFWxzVsyg7Qbu36jtLGfOYikW08DF0l7jOxgScSlVY5yE51rf1qqXkz2VTRrGTjhDUZ4ICcvIrryE+Ls/ryZSnTA/p6tYO7WFIbebPb8Sksomaf01KH6MLEjiL5Y5w6Mjmz6K6CMn9OenuItw+G10h1MV2vwthKshOlICHvVpdmPXJ+UeRN8tedZCF1ra7NoicLAY6dsbXXimUkdGKeGQFZjurXak371LxI15KEIB1hVoGRRQFeSogSq8bWfwOmIzoulHs5n0/200JQe1XybFCtEool91a3USlDuaK/wi5kyebDWe1Q46ZV15zLuKIdpS49A5u+qHGLGbHSYtRrtoLHI7azUrNbvOV8RSC2O3sLPT3squ7KRbkisly5ix7cGKXGH/4cyqN/ZKkZL9FYKPniVesoFdbBOujAaRgq/bU6Kf0dLkqRdo+W3kIBu8HNXneZea8KMjwocBiOQpUgHvK1Y2mheicdiAB1gKe9sWcWOJ8ce4UATf00QniI0YrYoMMsQX66X/gNFE8IH4x9m2jHivMPPxQMkmsBURKJ0kxEQrZgwg1MH4wm9t9lAniLldyz/TrqUaerixAIkThhylo3gywDpVG6N5E4zAHcrV+HQUvLx2UkmRBRCGINVCAJOJH2IW2/yBYOLWHM8vvUo0EsBaJGMhDKRvmcw8fsXHEzgT5qQ4OCoTN9ITkPehOOo665nH830oqfEaFiw=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678B1AEF81759EFE014B6D689799GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b0139b92-b3b9-44a1-f5b8-08db561554fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2023 13:56:22.2894 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uERoTgOY1lF07COEacZLy9eOhvvlgCkfnvfWiC31R8YAVs9xzazI5WyKUrN5aFReZWl5+IoRhT56rkmoc2OjScGXBY/LKG/IcT6OXv08toA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR07MB8532
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4ogFHHnVm-zCEsrxjnh0aEgc7CU>
Subject: Re: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 13:58:07 -0000

Hi Rich,

Good that you inform the TLS WG. I was planning to do that but forgot. Ericsson is likely to provide the comments in the link below. We think it is good that NIST is doing this project, visibility is a problem, but our position is that reuse of key shares is not an acceptable solution.

https://github.com/emanjon/Publications/blob/main/Ericsson%20comments%20on%20NIST%20SP%201800-37A%20May%2013.pdf

Cheers,
John

From: TLS <tls-bounces@ietf.org> on behalf of Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
Date: Tuesday, 16 May 2023 at 13:19
To: tls@ietf.org <tls@ietf.org>
Subject: [TLS] NIST Draft comments period: Addressing Visibility Challenges with TLS 1.3
Public comment period open until June 26.

Quoting from https://content.govdelivery.com/accounts/USNIST/bulletins/359534b

This project builds on our earlier work, “https://www.nccoe.nist.gov/tls-server-certificate-management,” which showed organizations how to centrally monitor and manage their TLS certificates. We are now focusing on protocol enhancements such as TLS 1.3 which have helped organizations boost performance and address security concerns. These same enhancements have also reduced enterprise visibility into internal traffic flows within the organizations' environment. This project aims to change that--and has two main objectives:
• Provide security and IT professionals practical approaches and tools to help them gain more visibility into the information being exchanged on their organizations’ servers.
• Help users fully adopt TLS 1.3 in their private data centers and in hybrid cloud environments—while maintaining regulatory compliance, security, and operations.


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email