Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Tony Arcieri <> Fri, 20 October 2017 22:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F8E2132CE7 for <>; Fri, 20 Oct 2017 15:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u_MH6nmDMc_9 for <>; Fri, 20 Oct 2017 15:02:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 640FB12ECEC for <>; Fri, 20 Oct 2017 15:02:34 -0700 (PDT)
Received: by with SMTP id z50so20192014qtj.4 for <>; Fri, 20 Oct 2017 15:02:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dqaVCHAsGKA1MxlrtCdCXFvN8we5908I37NdOxe2yrI=; b=jw7mx47Skv7zn1ieeoPIAqkNaoIdB+JMVqTMRq2iN+mqt1DnNXN7yXVLDtdMY5eDYD 60/ddKQngZsza6+xxiybulmmiZuauq7uaq7m782QGMm5QSdHChmbnjzPDcUzA/1rcoYs P3AOWnakFnVz+IlFACX2f76BfREzpFfsDSezgGpxJjUBd/Nj4bHm1o3arV+rPypp5/4L sndH03pCZozgMj/PrwT/Jri9PpV56DPqbuCIuQc0l4Zzzo2+IPJWxtRnWwGPEGcjTE6E TNsXAmLn1iXz0523ui8SXViL6yebSBG64lgPTKobL4pEnqgThAY8LjFFCXAjWi4S4lpL fOsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dqaVCHAsGKA1MxlrtCdCXFvN8we5908I37NdOxe2yrI=; b=dJDn/oxOytHxqmYZlkWBUTeczbn5zubhIw0NFEq9BA2eIIgq/fyC3Jl1YadZW2e/tv kn2UfC42L527nn/FDJNu9vL6DHLrgQagnCdEhPVTu1CwgIhIGj0tkJHzg5enUl01oJB2 cn+ZNUbzS56iqO5ol1uTJY3dInDsOAyWnKMuHofx55E/fqt28hdiOyBmiFbDE0Om3SIB 2E05tdbrgfEzzl6Clza1TTb4o9jwfvqv5bAnGOBUF2jTsBnse68bF//4l9SZmuGOyGVp tiO4cG70heDwhkIfqg7yEvwXg+LQhkkjnwqjqEhkJeaQdSMTG9PebxpBsAVe/se7vR4c G8PA==
X-Gm-Message-State: AMCzsaV95bYw9ycDzufJQJQdV2hgOE4GBc9b5op1SHM8QKOVk+0IL3eQ BTCs22z3txi5XbcMcnDnXZQCzjPlyj9q6WsAIVU=
X-Google-Smtp-Source: ABhQp+Slcyexs46WGDzovkeOojOiRwrofRj0Pmotti37JV1V3ItDZ3ys2qXKbsjCgIDAug1QZTmO4MJgDiObndqtbIQ=
X-Received: by with SMTP id c1mr9042621qtj.252.1508536953455; Fri, 20 Oct 2017 15:02:33 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 20 Oct 2017 15:02:12 -0700 (PDT)
In-Reply-To: <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII>
References: <> <> <> <> <> <> <> <> <> <> <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII>
From: Tony Arcieri <>
Date: Fri, 20 Oct 2017 15:02:12 -0700
Message-ID: <>
To: Ilari Liusvaara <>
Cc: "Ackermann, Michael" <>, "" <>
Content-Type: multipart/alternative; boundary="089e082651683dcb21055c01a160"
Archived-At: <>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Oct 2017 22:02:36 -0000

On Fri, Oct 20, 2017 at 11:27 AM, Ilari Liusvaara <>;

> TLS 1.2 will very probably remain viable until quantum computers come
> and demolish its security, unfortunately.

As someone who has spent a lot of time working on compliance for payments
systems, I have an open question to the "visibility" advocates:

Can you provide a *specific citation* as to where you will be *required* to
use TLS 1.3 any time in, say, the next decade?

This is absolutely not the case for PCI-DSS.

To my knowledge any requirement of this nature simply doesn't exist. I
could be wrong but... citation needed.

If there is no pressing reason for legacy systems which are dependent on
"visibility"/self-MitM capability because their observability story is so
poor and they can't use endpoint agents to solve the same problems, what is
the case for trying to add MitM mechanisms now?

The answer is simple: stay on TLS 1.2 (or earlier) until you can improve
your observability story, or *specific* requirements which *mandate* use of
TLS 1.3 actually manifest. From previous experience: such mandates will not
be a fire drill, but will be years in the making, and repeatedly delayed
due to "industry" requirements / shortcomings.

Tony Arcieri