Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Ted Lemon <mellon@fugue.com> Sun, 22 October 2017 18:40 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1523513A665 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 11:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27XWtuSBMk-k for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 11:40:47 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2164113A662 for <tls@ietf.org>; Sun, 22 Oct 2017 11:40:47 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id z50so23761457qtj.4 for <tls@ietf.org>; Sun, 22 Oct 2017 11:40:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=unpneGzhNJM0uEPfGSiRCgUAk2KlIwjwu7Fl6xv4o0w=; b=LYEUkksKQT5EXGqQ6TdeSup+IWsyl+hpzbUUqYAVlOltFuUJJ1ibj8T/mBFPrNfXuD ImZUscb7qArmnxoI2GOy/x67SqLH1qb9J8jW38FDMysGwbHu1L5pBIJsCaX8KQzMLkWt KiKUjNwFv5xJotApP4XZHKXHfWmeNzzY6W3X9UYIyp53m8DcRk5xjXq8iPjZZnx4aF3n Nd4pbapT1plsU45QRuoqUrTkviEipzLeDMHHYHeECjPT5elPXJhocKNlk3jp+PQJE9hu X32pWZg64HFsMu061JU9BLadJMJiKlwinIggHBicPOh0I18la4vyBpaK+2PVcuBiF1ij eD4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=unpneGzhNJM0uEPfGSiRCgUAk2KlIwjwu7Fl6xv4o0w=; b=Oz4Ye6cpvZoLwqfXHMPVAnmW5NAPzHnmb09Tn3uHsJ3scF42rPrmVGHB8u0GPTj7WA oS838UuW6674XF74luilKkQSClhGAEZ8dsEnhLsycUXrXRhtoWUdKRnwpCgGfXJu5QYJ 4N8giBSgl6a5OcaS3ZanrRFLYiGWyLlkvJS24o+5a2TIrwePdqWY13vWjihjdhpsEN2D is/bMy+BALPVk1j62UUm/L36uxHuMsj02mdcaaPFIUN0KfyY3Q3JsrSZAUJNGTMqFyNR afP5cNbl69r2gkQ3DV13MhEsNks7X4NlUburEWM7Tw6GBjOUT6hu3JGiMM10h2atEw0F ediw==
X-Gm-Message-State: AMCzsaXYrbwRMDyOZ95ph0VJyUQjEbCE9pKlV+9XhAQLggAC8UnHXpYk 6r1DGkNvyFOY26QgMP65ssS2Cg==
X-Google-Smtp-Source: ABhQp+Q5BfFiomvDSA0ZjT1itwt2USAHDxVsXlTnmI9x5QLyqJuME4fCeEUGRG0ec9w4bClrfGJZwg==
X-Received: by 10.200.17.146 with SMTP id d18mr16526419qtj.61.1508697646240; Sun, 22 Oct 2017 11:40:46 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.nh.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id k79sm3573721qke.28.2017.10.22.11.40.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Oct 2017 11:40:45 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6A015DA7-93C9-452C-A362-30B2A518BE7E"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sun, 22 Oct 2017 14:40:43 -0400
In-Reply-To: <422F0052-D5C8-48ED-ACE6-05C9C2065AF9@vigilsec.com>
Cc: Tony Arcieri <bascule@gmail.com>, IETF TLS <tls@ietf.org>
To: Russ Housley <housley@vigilsec.com>
References: <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII> <CAHOTMVJXiQqMGPfRy=z2=3D60L08BURrOxSAgGdH8_TCO6Hr8g@mail.gmail.com> <422F0052-D5C8-48ED-ACE6-05C9C2065AF9@vigilsec.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DhBdz6pgp9hFCLwGWgXUnRqUQzE>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 18:40:49 -0000

On Oct 22, 2017, at 1:54 PM, Russ Housley <housley@vigilsec.com>; wrote:
> No one is requiring TLS 1.3 that I know about.  However, there are places that require visibility into TLS.  I will let one of the people that works in a regulated industry offer pointers to the documents.

What they require is visibility into contents of the flow that they are using encryption to protect.   Right now, the protocol they are using is TLS 1.1 or TLS 1.2.   The right thing for them to do if they continue to need this visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE, or some protocol that is designed for this use case, not to take a protocol designed specifically for securing flows from on-path eavesdropping and create a mode where it is easier to wiretap.

There is no reason other than momentum for them to switch to TLS 1.3 when it doesn't address their use case.