Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 22 October 2017 19:24 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2BC13AB30 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 12:24:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFORlQNh6R6V for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 12:24:55 -0700 (PDT)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1B8B13AB17 for <tls@ietf.org>; Sun, 22 Oct 2017 12:24:54 -0700 (PDT)
Received: by mail-qt0-x231.google.com with SMTP id d9so17048245qtd.7 for <tls@ietf.org>; Sun, 22 Oct 2017 12:24:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bTi+b1Hh8BVmXffVoJ8Rbls2h1QCq1CNvEVDEX0IUHM=; b=Z4ZUTp1QQM5dMhwuPtw/aO8xoftF0aXSMwYwxSmBaiK/Ay5JRIvLu+HnfmgJCI08uH 0Nu4IL8PJc4V52pGjh8Lcv4sgbA3A/Ti51CalbwFaI/7rzzLTwL8iKCVPKTyTRFM1zfS SuTXSaO2X7qxgR+EqySJTRlKl/VmoNiV66BLGxXyujQ/7fy8tHEeG+CABZIgxW5pLJbB Pzq+F9anwh5Q8027cr7uflENbg41rDLpwf82u7YeqMIIEPF7Vh7qzeWTOQZdS/BELM/e 5e4Y+t94p/OsZiiMLfSeQnfsNnSigqnY1GlqvG6uhSU5i2BF07yJEBPnDYAMzscO60TV Yc6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bTi+b1Hh8BVmXffVoJ8Rbls2h1QCq1CNvEVDEX0IUHM=; b=fAyYjjA5M3buKgmKHMvTJzZo38TtR4wDgkMW0kVWd2flwH3ghc4zS/lT6+anUfPsv3 zNy1vWfDIizLZF6PwvMpar9EQsHRx62v9GBPAeWlAhjpyxuytMtMMF3xu0ao/hoEzY1B 5s2vqUgujXraWceBR9IrYSKoMtGFioBm1FZAPZ+8NykvLkC+feXRNknui6HM+mopVJfn b/9OvzAdFS/ggl8oxX7KvBdAtd2Yl0h5Bzk4nBMGyEGoanVq5y3hF2ZshYUAziQX3slk nrQapUX+M2ZnK0J5FAeUnDxXmnPHLZZhctZmKyKgunLJbhyn86Son959c6jcWEIdo7Z2 8Gyw==
X-Gm-Message-State: AMCzsaVWLLSG2XSsn7nmVnDacEvtbdEPoF7Hxt7gEVdj8jTfREDhVwVI Epwl40Eh+RAPut5dTjAMG957BiqF
X-Google-Smtp-Source: ABhQp+S7QTHHBmd/Vnv+L72BGF5EgTybYT3KMJs8zWTgA12ehITu3gHsV0VaOeMlDEYE1ol/Vrp1WA==
X-Received: by 10.200.54.220 with SMTP id b28mr16076153qtc.186.1508700293984; Sun, 22 Oct 2017 12:24:53 -0700 (PDT)
Received: from ?IPv6:2600:380:bd1d:d4a6:b94a:696e:35cb:921f? ([2600:380:bd1d:d4a6:b94a:696e:35cb:921f]) by smtp.gmail.com with ESMTPSA id k79sm3617549qke.28.2017.10.22.12.24.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Oct 2017 12:24:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-31AFBA81-6914-495B-8963-83B35F0C1692
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
Date: Sun, 22 Oct 2017 15:24:52 -0400
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <86A43E91-7393-4891-9E5D-9DD385119E64@gmail.com>
References: <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII> <CAHOTMVJXiQqMGPfRy=z2=3D60L08BURrOxSAgGdH8_TCO6Hr8g@mail.gmail.com> <422F0052-D5C8-48ED-ACE6-05C9C2065AF9@vigilsec.com> <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
To: Ted Lemon <mellon@fugue.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CDOiLHLIXY2Kj5sa1Cyah5vlSfY>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 19:24:57 -0000


Sent from my iPhone

> On Oct 22, 2017, at 2:40 PM, Ted Lemon <mellon@fugue.com>; wrote:
> 
>> On Oct 22, 2017, at 1:54 PM, Russ Housley <housley@vigilsec.com>; wrote:
>> No one is requiring TLS 1.3 that I know about.  However, there are places that require visibility into TLS.  I will let one of the people that works in a regulated industry offer pointers to the documents.
> 
> What they require is visibility into contents of the flow that they are using encryption to protect.   Right now, the protocol they are using is TLS 1.1 or TLS 1.2.   The right thing for them to do if they continue to need this visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE, or some protocol that is designed for this use case, not to take a protocol designed specifically for securing flows from on-path eavesdropping and create a mode where it is easier to wiretap.
> 
> There is no reason other than momentum for them to switch to TLS 1.3 when it doesn't address their use case.

With no hat, I agree.
https://www.rsa.com/en-us/blog/2017-08/tls-security-and-data-center-monitoring-searching-for-a-path-forward

Kathleen 

> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls