Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Simon Friedberger <simon.tls@a-oben.org> Thu, 20 July 2017 15:38 UTC

Return-Path: <simon.tls@a-oben.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B335913188D for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 08:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5AdlqmNfoio for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 08:38:27 -0700 (PDT)
Received: from a-oben.org (squint.a-oben.org [144.76.111.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 489A212EC46 for <tls@ietf.org>; Thu, 20 Jul 2017 08:38:27 -0700 (PDT)
Received: from [91.183.52.43] (helo=[192.168.1.189]) by a-oben.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.88) (envelope-from <simon.tls@a-oben.org>) id 1dYDWz-0007vO-B6 for tls@ietf.org; Thu, 20 Jul 2017 17:38:25 +0200
To: "tls@ietf.org" <tls@ietf.org>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <8b502340b84f48e99814ae0f16b6b3ef@usma1ex-dag1mb1.msg.corp.akamai.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDeSv+T1ww5_nr6NPgg9k44j7y04tJWC=KeaJF7Gtt+TVQ@mail.gmail.com> <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie> <CAAF6GDeGKEBnUZZFXX0y0a2J2+sVg8VaHh-4H9bhN0Zzk-x9uA@mail.gmail.com> <6707e55d-63d3-01e2-4e98-5cc0644e29e0@cs.tcd.ie> <35f4c84c6505493d8035c0eaf8bf6047@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcq6_ML3yHSQTy-t5irYLS10VVzk_R+7nAUKqQpgcCkrQ@mail.gmail.com> <a22d69c80d8d4cd2981cd6ede394c96f@usma1ex-dag1mb1.msg.corp.akamai.com> <F533492A-ACF1-498F-A03C-B829DDFFDD36@arbor.net>
From: Simon Friedberger <simon.tls@a-oben.org>
Message-ID: <8d485710-d55e-28b9-3197-ad2d9880f5eb@a-oben.org>
Date: Thu, 20 Jul 2017 17:38:24 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <F533492A-ACF1-498F-A03C-B829DDFFDD36@arbor.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EqXXHvu-a4teZc1_Dw6KMHSfV1M>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 15:38:30 -0000

I would like to point out that a lot of this discussion seems to hinge
on the following argument:


On 17/07/17 13:04, Roland Dobbins wrote:
> On 16 Jul 2017, at 11:14, Salz, Rich wrote:
>
>> I really want to hear an answer to that question from folks who say
>> they need TLS 1.3 but without it.
>
> Being able to continue to utilize vetted, well-understood,
> standards-based cryptography on intranets once regulatory bodies such
> as PCI/DSS mandate TLS 1.3 or above - which will happen, at some point
> in the not-too-distant future.

So the only reason not to use TLS 1.2 for these use cases is that it is
assumed that some regulator will in the future prohibit not using it.

(I don't think TLS 1.2 is going away any time soon so it will continue
to be vetted, well-understood and standards-based.)

I think it is up to those regulators to do their job properly and not
require TLS 1.3 for situations when it does not fullfil the requirements.
Or conversely if regulators still require TLS 1.3 although it does not
support the desired traffic inspection maybe they have made that
decision with good reason.