IETF Logo Mail Archive

Re: [TLS] Industry Concerns about TLS 1.3

"Salz, Rich" <rsalz@akamai.com> Sat, 24 September 2016 02:51 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACE312BC44 for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 19:51:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.017
X-Spam-Level:
X-Spam-Status: No, score=-5.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxBIuL08goEq for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 19:51:00 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 245AB12BBE7 for <tls@ietf.org>; Fri, 23 Sep 2016 19:51:00 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id B624F4334B4; Sat, 24 Sep 2016 02:50:59 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 9DD084334A8; Sat, 24 Sep 2016 02:50:59 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1474685459; bh=Fv2qaJ5yoCaoAoJjmFLA3l8/LTOe5w5SS+mLARA1UAQ=; l=945; h=From:To:CC:Date:References:In-Reply-To:From; b=SEn14DY8gVDlJS6s1230+SxbIVWCJlYFuRmWJh5LzqhGZgtwN1k68cZb1DShesV4C Q7O0+nRzNh4zz0rHt/I21obqPflhyI03nRypUr5wNkwpCsJI07NTGK7GFvb0tcciIg wV8Z71kVEX+zqOwampr9xepi0ovtkfnaUNwokYVk=
Received: from email.msg.corp.akamai.com (usma1ex-casadmn.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 959F81FC8C; Sat, 24 Sep 2016 02:50:59 +0000 (GMT)
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 23 Sep 2016 19:50:59 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Fri, 23 Sep 2016 22:50:59 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: BITS Security <BITSSecurity@fsroundtable.org>, Xiaoyin Liu <xiaoyin.l@outlook.com>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AdIU8WqWM9WBapZoQzyfqxiOaK25fQADrwVgACSrSIAADgIdgAAAS/+AAAFEjIAAAGtwAAACvFsAAATvGdAAAl4bAAABAaSAAAE4VIAAAobXkA==
Date: Sat, 24 Sep 2016 02:50:58 +0000
Message-ID: <20f3bddbc81b4d229a0039234822b502@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <72011214.413503.1474650126973@mail.yahoo.com> <e24a06b8d0d04ccc80b9a55d83bf5606@usma1ex-dag1mb1.msg.corp.akamai.com>, <DM5PR11MB141926C5806296FFD7252A45F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <CY1PR15MB0778E06B122413B7D0C9E796FFC80@CY1PR15MB0778.namprd15.prod.outlook.com> <DM5PR11MB1419384BB86D2C5F791DD1A1F4C80@DM5PR11MB1419.namprd11.prod.outlook.com>
In-Reply-To: <DM5PR11MB1419384BB86D2C5F791DD1A1F4C80@DM5PR11MB1419.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.162]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/678ex8z2uJOiLTDGCJTjWDc8zdE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2016 02:51:01 -0000

> There are both public and private sector regulators arcing towards being
> more prescriptive in this area.  It is possible, if not likely, in the not too distant
> future that my member companies will not have the choice to "downgrade"
> to "obsolete" TLS versions.
> 
> Note: the standards track document says it "Obsoletes: RFC 5246" which is
> TLS 1.2.  That's a signal that may prove difficult to divert in this rapidly
> evolving threat and regulatory environment.

Then the industry will have to explain to its regulators that the latest version of the standard prevents them from doing what is required, in the way that it was, apparently, traditionally done.  You can intercept and monitor TLS 1.3, but it mus be done at one of the endpoints, not via a passive intermediary watch traffic.   We removed that capability because of the threat of national-scale actors doing such things on a global basis.

v2.23.0 | Report a Bug | By Email