Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Darin Pettis <dpp.edco@gmail.com> Thu, 19 October 2017 22:30 UTC

Return-Path: <dpp.edco@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE9D13420D for <tls@ietfa.amsl.com>; Thu, 19 Oct 2017 15:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XdxJK6FHcd53 for <tls@ietfa.amsl.com>; Thu, 19 Oct 2017 15:30:22 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57482132F69 for <tls@ietf.org>; Thu, 19 Oct 2017 15:30:22 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id n70so6305521vkf.11 for <tls@ietf.org>; Thu, 19 Oct 2017 15:30:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=M/OGZvfQuk8ORo1rLAzU5FUSreUybra88xNRkF1K0ZI=; b=r5Gr/Y7lA8HLhi4LsRkaTkHbutbTpvHOmJAuuN7hx5Ioh68TOU0wpqLmkOo3HPFnKZ tX9tGdjfeglFdrB00nC0yp+gpIVlj4hRomeMbzSTBiF19Hx6I1fRKuLoEa+Hp7EnIls9 YSl/8aO1GVzpsfHbHBvW4eGR/M+oC2KEowuSipm2N0aSsK9Nj38ZUtb2Wrjj9d4cjfRz 5aGbSM3oDKJzUTX0rxE5nWxpEkiSThEKN8axI3OP0Sv2p0mfLtsa4rtHkhIq3i+1OyCL IUB6VskmAM1jKXPMUuMJSSbNdd37UHIOyLmlrjrc0CIfpKtXtNAHWLOdHCiAF7GBTFIL oW4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=M/OGZvfQuk8ORo1rLAzU5FUSreUybra88xNRkF1K0ZI=; b=QndGLjOc4V8FVasVUDkpEsuS1e56N1Cr+hTXr386qBbiAAmuPaDBoUyvgrxUkYjCLr HYsLEaKFDI62OSnEoWBLJJawEYNi5Ya0hl1I70W65RLFgaJ9HHHgBdtq95t94pw5mxlF EI2HeNUkQWSvA+DRv+QSaaBpC8ohK8kNfnrzfhye4asJkkuQwTaNdlShF7zrZBUxfXjy xK39WL4jTJ10+I15LIEh6FasmLRP7btiPZMrWv+XHN7nvtUjjqaLU0BFGSN6ZxcEk+NR a6f8n70w1nx0A+zeLuiYajsH4Jx5ICD8900NX0BlIYWFdRHiTxkGjLYqDe5eRTpqf/S3 SzAA==
X-Gm-Message-State: AMCzsaWagMvT6Kni3dVmfKENJNnalRprjzbcIw+KjCggZ/x6YtHyD3xe LdQSKaTUWylVpfJQgAQ0AQfok9mhH/zZH224R8Q=
X-Google-Smtp-Source: ABhQp+TXM02h7MDy9lj8RfZCe7RmUa920+KwxW5HwPhvnL/IWVAS0KvJke1Ztl0QP3QRUe0gCaSO4xQgxxgjt6uY4yU=
X-Received: by 10.31.155.202 with SMTP id d193mr2139708vke.94.1508452221405; Thu, 19 Oct 2017 15:30:21 -0700 (PDT)
MIME-Version: 1.0
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com>
In-Reply-To: <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com>
From: Darin Pettis <dpp.edco@gmail.com>
Date: Thu, 19 Oct 2017 22:30:10 +0000
Message-ID: <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com>
To: Paul Turner <PAUL.TURNER@venafi.com>, "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140f2ded15e69055bede69a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6HghNQ6_TFE-8VPKkFj-ToKo8_g>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2017 22:30:24 -0000

On Thu, Oct 19, 2017 at 12:27 PM Salz, Rich <rsalz@akamai.com>; wrote:

> We disagree.
>
> Being able to block traffic is much less effort than pretending to be
> another identity.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

First I want to thank the TLS WG for all their assistance and conversation
around finding the right methodology for continued visibility.

The question has been raised: "Why address visibility now?"   The answer is
that it is critical that the visibility capability is retained.  It is
available today through the RSA key exchange algorithm.  We understand that
the issue was raised late and have fallen on the preverbal sword for being
late to the party but the issue is real.  That is where the "rhrd" draft
has come from.  A way to retain that visibility capability but with a newer
and more secure protocol.

We need to protect and troubleshoot data that is within each of our
companies.   As encryption becomes more prevalent, it becomes more and more
critical to see that data.

The amount of people currently voicing concern is likely small for two
reasons.  One is that everything is public and many of the "lurkers" are
hesitant to voice their concerns.  The second reason is that so many don't
know that visibility will be an issue.  They will either discover this as
they migrate to TLS 1.3 or as they start to encrypt within their data
center.  There is work to rapidly raise that awareness through roundtables,
conferences and other venues.

It is very positive that the WG has made a number of great recommendations
that have led to this solution.   That is the intention.  We would
appreciate the WG now adopting the extension so that it can be ushered
through the process.   This continued visibility can continue to be
available as we all have expectations that our data is safeguarded and that
websites are available to us quickly.   Thank you for your valued
assistance!