Re: [TLS] network-based security solution use cases

Flemming Andreasen <> Tue, 07 November 2017 23:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EA95B129B06 for <>; Tue, 7 Nov 2017 15:27:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 10OYMjL8xmS7 for <>; Tue, 7 Nov 2017 15:27:06 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 930401298A1 for <>; Tue, 7 Nov 2017 15:27:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2176; q=dns/txt; s=iport; t=1510097226; x=1511306826; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=+1EZi8Zt9VwHMYGGXh5MhXG1O3woHGlE9YdhkKYtBjY=; b=Oq9YmIfUjfvbwQUgEDB89RNzjIzYeoG15xvTwUsU83DSlIDu3u1FdoUb whrJpnG9jRY6aJGd3tQu79LyW9bqNwfO9C7CknPNF2azs1AbIdH6lY4/k sD5UJw8T0MkROozmnroPoj+54MUBEHb08Mgw+5tRRzzBB0IJS2pPjSGuE o=;
X-IronPort-AV: E=Sophos;i="5.44,361,1505779200"; d="scan'208";a="320747192"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2017 23:27:06 +0000
Received: from [] ( []) by (8.14.5/8.14.5) with ESMTP id vA7NR5Or014952; Tue, 7 Nov 2017 23:27:05 GMT
To: Stephen Farrell <>, Florian Weimer <>, "Nancy Cam-Winget (ncamwing)" <>
Cc: "" <>
References: <> <> <> <>
From: Flemming Andreasen <>
Message-ID: <>
Date: Tue, 7 Nov 2017 18:27:56 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [TLS] network-based security solution use cases
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Nov 2017 23:27:09 -0000

Thanks for taking an initial look at the document Stephen - please see 
below for responses so far

On 11/7/17 4:13 AM, Stephen Farrell wrote:
> Hiya,
> On 07/11/17 02:48, Flemming Andreasen wrote:
>> We didn't draw any particular line, but the use case scenarios that we
>> tried to highlight are those related to overall security and regulatory
>> requirements (including public sector)
> I had a quick look at the draft (will try read properly en-route to
> ietf-100) and I followed the reference to [1] but that only lead to a
> forest of documents in which I didn't find any reference to breaking
> TLS so far at least. Can you provide an explicit pointer to the
> exact document on which that claim is based?
For NERC, you can look underĀ  "(CIP) Critital Infrastructure 
Protection". CIP-005-5 for example covers the electronic security 
perimeter, which has a couple of relevant requirements and associated text: 

To be clear though, the document does not specifically call out breaking 
TLS, but it does clearly call out the need to detect malicious inbound 
and outbound communications by leveraging an "Electronic Access Point" 
(e.g. IDS/IPS) to enforce the Electronic Security Perimeter.
> I'd also claim that your reference to PCI-DSS is misleading, as that
> same spec also explicitly calls for there to be good key management
> specifically including minimising the number of copies of keys, so
> at most, one might be able to claim that PCI-DSS is ok with people
> who break TLS in a nod-and-a-wink manner. But if you do have a real
> quote from PCI-DSS that calls for breaking TLS then please do also
> send that (it's been asked for a bunch of times without any answer
> being provided so far).

I will need to look more closely for such a quote - if anybody else 
knows of one, please chime in as well.


-- Flemming

> Thanks,
> S.
> [1]