Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

"Ackermann, Michael" <MAckermann@bcbsm.com> Mon, 23 October 2017 18:12 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FAEB1398CA for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 11:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tr2RKNi9oW6C for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 11:12:09 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00F29138AEE for <tls@ietf.org>; Mon, 23 Oct 2017 11:12:08 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 05B0AC0E94 for <tls@ietf.org>; Mon, 23 Oct 2017 13:12:08 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [12.107.172.81]) by mx.z120.zixworks.com (Proprietary) with SMTP id 1CC32C0E8F; Mon, 23 Oct 2017 13:12:07 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D63B5FE06F; Mon, 23 Oct 2017 14:12:06 -0400 (EDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E8D1FE064; Mon, 23 Oct 2017 14:12:06 -0400 (EDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (unknown [207.46.163.83]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Mon, 23 Oct 2017 14:12:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mALt79yHMjnQVFT4YOB8GI1IdjKXq41J1d61wntxVC4=; b=wbp5xLMJkv62Pe8cC713Bkv8IbjAnOW4zZkvnmbOz2rMljv7xvMhz/O6R9zQruh73CJF7E/i/mgir1Fj/yjQ1HBoEadWTp/3pLCp5UPuHdrNxpXzg0XvS5BUZx/WJ1VBzpPaxU4EJIOVzQ9OrEZgYXyM6aeSoKqm8lTh6ZleV+Q=
Received: from CY4PR14MB1368.namprd14.prod.outlook.com (10.172.158.148) by CY4PR14MB1365.namprd14.prod.outlook.com (10.172.158.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Mon, 23 Oct 2017 18:12:04 +0000
Received: from CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) by CY4PR14MB1368.namprd14.prod.outlook.com ([10.172.158.148]) with mapi id 15.20.0077.022; Mon, 23 Oct 2017 18:12:04 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Ted Lemon <mellon@fugue.com>
CC: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
Thread-Index: AQHTO710HVvcnaInjUunozwwxCXv1qLp+S4AgAFTKoCAAAWPgIAAANmAgAABFgCAAAA7gIAAAPWAgAADKICAAALZAIAABTaAgAACs4CAAAEIAIAABEYAgAAZuoCAAAV4gIAAVLoAgAD/VwCAABsIAIAADvYAgAAFHmCAAAbigIADZUkAgAAIFICAAB86QIAACamAgAD42jCAABKIgIAACV1AgAADZ4CAAAF70IAAA1UAgAAA2TCAABBTAIAABPMA
Date: Mon, 23 Oct 2017 18:12:04 +0000
Message-ID: <CY4PR14MB13687B405BA0EDC62F4371AAD7460@CY4PR14MB1368.namprd14.prod.outlook.com>
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <31F5A73E-F37E-40D8-AA7D-8BB861692FED@akamai.com> <13592ABB-BA71-4DF9-BEE4-1E0C3ED50598@gmail.com> <2EE9CB23-AEDA-4155-BF24-EBC70CD302EF@fugue.com> <CY4PR14MB136816569A2AE2A9760C6E08D7410@CY4PR14MB1368.namprd14.prod.outlook.com> <557F43AC-A236-47BB-8C51-EDD37D09D5CB@fugue.com> <CY4PR14MB13684F18AD75F4AE767CE35CD7460@CY4PR14MB1368.namprd14.prod.outlook.com> <57CFBA2A-E878-47B0-8284-35369D4DA2DF@fugue.com> <CY4PR14MB13680B6D5726D940C4C51B4BD7460@CY4PR14MB1368.namprd14.prod.outlook.com> <0D75E20C-135D-45BC-ABE4-5C737B7491C9@akamai.com> <CY4PR14MB1368378B42A6C46B27F5EF01D7460@CY4PR14MB1368.namprd14.prod.outlook.com> <2AC16F9E-C745-43AD-82C1-D3953D51816C@fugue.com> <CY4PR14MB1368895DD0D72286635E4E83D7460@CY4PR14MB1368.namprd14.prod.outlook.com> <E37A3920-D7E3-4C94-89D0-6D3ECDEBCFF6@fugue.com>
In-Reply-To: <E37A3920-D7E3-4C94-89D0-6D3ECDEBCFF6@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [165.225.39.58]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1365; 20:HysA7/t6kSAYmVLae6WrGCypDdxgg2My0lIf+5lDycIwwj9cBg6EzJUmVLqUgg7gY3kCHYrZuWnZOZ7DFMWxLgUveEE4igGFiBW2P5E1Z3NOxIe7XEiLsSeUilOPtMU8tjzEbm1gLL6h2guUpa6VoQ6uNmfBvAS74+CL9oCXs1c=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 15b52dc1-eb3c-495a-641c-08d51a4190c1
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:CY4PR14MB1365;
x-ms-traffictypediagnostic: CY4PR14MB1365:
x-exchange-antispam-report-test: UriScan:(72170088055959)(192374486261705)(21748063052155)(86572411397741);
x-microsoft-antispam-prvs: <CY4PR14MB1365836C8E315C810EAF2A51D7460@CY4PR14MB1365.namprd14.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3231020)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(3002001)(6041248)(20161123562025)(20161123564025)(20161123560025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1365; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1365;
x-forefront-prvs: 046985391D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(199003)(24454002)(189002)(55016002)(230783001)(4326008)(97736004)(19609705001)(6916009)(3280700002)(6436002)(101416001)(53936002)(99286003)(66066001)(2950100002)(6306002)(76176999)(25786009)(50986999)(229853002)(6116002)(6506006)(3660700001)(14454004)(54356999)(189998001)(68736007)(236005)(2900100001)(2906002)(77096006)(81156014)(81166006)(8936002)(7696004)(86362001)(5660300001)(105586002)(53546010)(54906003)(6246003)(93886005)(9686003)(72206003)(74316002)(80792005)(8676002)(54896002)(478600001)(106356001)(316002)(7736002)(3846002)(33656002)(102836003)(790700001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1365; H:CY4PR14MB1368.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB13687B405BA0EDC62F4371AAD7460CY4PR14MB1368namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2017 18:12:04.4864 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1365
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: 36adb994-9fb5-4570-a900-1309d31c8248
X-VPM-MSG-ID: 0e06e780-1f57-46b5-8830-7c9bcf708a41
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DROg054xmZCS7Qc5Q7sYjZ5_Tq0>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 18:12:11 -0000

To suggest that I or my industry does not take security seriously, is inaccurate and immaterial to this discussion.

I would put the comment  that anyone or any industry is attempting to lay costs for anything off on IETF,  in the same unfortunate bucket.

These types of subjectively negative statements are not at all constructive, germane nor worthy of response.

From: Ted Lemon [mailto:mellon@fugue.com]
Sent: Monday, October 23, 2017 1:45 PM
To: Ackermann, Michael <MAckermann@bcbsm.com>;
Cc: Salz, Rich <rsalz@akamai.com>;; tls@ietf.org
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

On Oct 23, 2017, at 1:30 PM, Ackermann, Michael <MAckermann@bcbsm.com<mailto:MAckermann@bcbsm.com>> wrote:
The WHY you ask is in the answer.
It is a huge proposition requiring change to virtually every platform and application.    Not to mention all the management,  monitoring and security platforms.
It would be very expensive and time consuming.
And when they ask why this is necessary,  it is because the new version of the existing protocol is not backwards compatible,  which is something we have come to expect.

I really tried to have sympathy for you about this in Prague.   I know what it's like to get unreasonable pushes from management (not based on recent experience, fortunately).   But this exact form of reasoning is why we're suffering from attacks on the internet like the Mirai botnet and the Reaper botnet, the Equifax hack, et cetera.

You have come to a group of people who take these issues extremely seriously and asked them to bless you in going forward to create another problem of the same magnitude.   I know you don't think that's what you're asking, but that really is what you are asking.   It might not be on your network—maybe you will operate this technology securely.   But you are asking us to create an attack surface, and it will be used.

When you make requests like this, what you are really doing is pushing off costs your management doesn't want to pay on the users of the Internet as a whole.   130 million Americans are now doomed for life to suffer from attacks on their credit because of this kind of thinking.

Stop asking us to take security less seriously, and start taking it more seriously.   You work for BCBS: you are responsible for protecting the privacy of a similar number of Americans.   I know this is hard, but it's time to stop imagining that you can lay costs off on us and start planning how you are going to migrate to a more secure architecture.



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.