Re: [TLS] network-based security solution use cases
Flemming Andreasen <fandreas@cisco.com> Tue, 07 November 2017 23:27 UTC
Return-Path: <fandreas@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA95B129B06 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 15:27:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10OYMjL8xmS7 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 15:27:06 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 930401298A1 for <tls@ietf.org>; Tue, 7 Nov 2017 15:27:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2176; q=dns/txt; s=iport; t=1510097226; x=1511306826; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=+1EZi8Zt9VwHMYGGXh5MhXG1O3woHGlE9YdhkKYtBjY=; b=Oq9YmIfUjfvbwQUgEDB89RNzjIzYeoG15xvTwUsU83DSlIDu3u1FdoUb whrJpnG9jRY6aJGd3tQu79LyW9bqNwfO9C7CknPNF2azs1AbIdH6lY4/k sD5UJw8T0MkROozmnroPoj+54MUBEHb08Mgw+5tRRzzBB0IJS2pPjSGuE o=;
X-IronPort-AV: E=Sophos;i="5.44,361,1505779200"; d="scan'208";a="320747192"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2017 23:27:06 +0000
Received: from [10.118.10.19] (rtp-fandreas-2-8812.cisco.com [10.118.10.19]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id vA7NR5Or014952; Tue, 7 Nov 2017 23:27:05 GMT
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Florian Weimer <fw@deneb.enyo.de>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <895D1206-28D1-43AB-8A45-11DEEC86A71D@cisco.com> <874lq868t3.fsf@mid.deneb.enyo.de> <a7a78674-d80d-dbd3-3c65-2d4000922423@cisco.com> <6966da46-0f07-b518-4b6e-f2b5f599b050@cs.tcd.ie>
From: Flemming Andreasen <fandreas@cisco.com>
Message-ID: <b93fb058-7a61-13e0-9a39-a8f55e970d6c@cisco.com>
Date: Tue, 07 Nov 2017 18:27:56 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <6966da46-0f07-b518-4b6e-f2b5f599b050@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/G4iqS0lo4U9NwH9HswNKxHt3l_Q>
Subject: Re: [TLS] network-based security solution use cases
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 23:27:09 -0000
Thanks for taking an initial look at the document Stephen - please see below for responses so far On 11/7/17 4:13 AM, Stephen Farrell wrote: > Hiya, > > On 07/11/17 02:48, Flemming Andreasen wrote: >> We didn't draw any particular line, but the use case scenarios that we >> tried to highlight are those related to overall security and regulatory >> requirements (including public sector) > I had a quick look at the draft (will try read properly en-route to > ietf-100) and I followed the reference to [1] but that only lead to a > forest of documents in which I didn't find any reference to breaking > TLS so far at least. Can you provide an explicit pointer to the > exact document on which that claim is based? For NERC, you can look under "(CIP) Critital Infrastructure Protection". CIP-005-5 for example covers the electronic security perimeter, which has a couple of relevant requirements and associated text: http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-005-5&title=Cyber%20Security%20-%20Electronic%20Security%20Perimeter(s)&jurisdiction=United%20States To be clear though, the document does not specifically call out breaking TLS, but it does clearly call out the need to detect malicious inbound and outbound communications by leveraging an "Electronic Access Point" (e.g. IDS/IPS) to enforce the Electronic Security Perimeter. > I'd also claim that your reference to PCI-DSS is misleading, as that > same spec also explicitly calls for there to be good key management > specifically including minimising the number of copies of keys, so > at most, one might be able to claim that PCI-DSS is ok with people > who break TLS in a nod-and-a-wink manner. But if you do have a real > quote from PCI-DSS that calls for breaking TLS then please do also > send that (it's been asked for a bunch of times without any answer > being provided so far). I will need to look more closely for such a quote - if anybody else knows of one, please chime in as well. Thanks -- Flemming > Thanks, > S. > > > [1] > https://tools.ietf.org/html/draft-camwinget-tls-use-cases-00.html#ref-NERCCIP >
- [TLS] network-based security solution use cases Nancy Cam-Winget (ncamwing)
- Re: [TLS] network-based security solution use cas… Florian Weimer
- Re: [TLS] network-based security solution use cas… Eric Rescorla
- Re: [TLS] network-based security solution use cas… Flemming Andreasen
- Re: [TLS] network-based security solution use cas… Stephen Farrell
- Re: [TLS] network-based security solution use cas… Flemming Andreasen
- Re: [TLS] network-based security solution use cas… Eric Rescorla
- Re: [TLS] network-based security solution use cas… Flemming Andreasen
- Re: [TLS] network-based security solution use cas… Flemming Andreasen
- Re: [TLS] network-based security solution use cas… Nancy Cam-Winget (ncamwing)
- Re: [TLS] network-based security solution use cas… Stephen Farrell
- Re: [TLS] network-based security solution use cas… Stephen Farrell
- Re: [TLS] network-based security solution use cas… Nancy Cam-Winget (ncamwing)
- Re: [TLS] network-based security solution use cas… Watson Ladd
- Re: [TLS] network-based security solution use cas… Stephen Farrell
- Re: [TLS] network-based security solution use cas… Flemming Andreasen
- Re: [TLS] network-based security solution use cas… Nancy Cam-Winget (ncamwing)
- Re: [TLS] network-based security solution use cas… Eric Rescorla