Re: [TLS] Industry Concerns about TLS 1.3

Jeffrey Walton <noloader@gmail.com> Fri, 23 September 2016 21:44 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A269E12BA01 for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 14:44:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bI332wygH5M for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 14:44:49 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED71F12B9F8 for <tls@ietf.org>; Fri, 23 Sep 2016 14:44:48 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id r145so131531456ior.0 for <tls@ietf.org>; Fri, 23 Sep 2016 14:44:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=BKtZZcYei8uZfrCu5bdTZsK46OAAFarI1ln/HWo96dA=; b=WY6+/ZzYKvDjEgffLPPxjdqt/jEv80zFSWiueFQar+Xl5g3CvdPj9ujijUYTeTQ09V R84F3SSQGhp/qKDUrtg6v/F0e/7BtFjnW/emGjQG7njVGPPP4DgnnaNBJhyOvyI0JY95 yVE1caUIirlbXSV5Al55+Yug7Ji1ay9alPJ2DPUexvKHh8K+fFfRT9wKzSBoMZ5hK9b5 cI/SvQYJY4u/GgCHbt/x2wvVoOrihamAaV87CmFuSd7Sjl8ujgp9PkhVv10Q/nHiKmzN p+Aa9zon6k3lICVpDrzcR6JTl9P69rNzD6IM8/PTCtdlwM1OXHHUDgR0fl2wDTRZIkH1 mPmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=BKtZZcYei8uZfrCu5bdTZsK46OAAFarI1ln/HWo96dA=; b=hdnmasqgFyLIOpq7teAdjl8yNqYazZlp0LYBatK0iJGo+jdHi2CUGVyfEvbdorRbS0 4OkRCDvpHqk7auyA0aUX9kDK221LAMyqNxAHOA9gk3OdDzG15qb+E34pN/fDoiXG2U7L aR22kfsx8Ys7Ho13t1UckxsiiP4kXh5apqatE1cCnMabjQuy+VM+GdWD4ApeVbAOgU+w 9D0jIHyDBlLHpZjLvXxgEO8fxs8zHqF0jVO3XVocggUuABv/fJpnPiww3TGK79BO99E1 DzXamaSdVnJSvSTp8BHylSeflAic+ioodsBzT+WYGxqnJcLJCgCK8iu8A9VHZ7W4b+qa 2u1g==
X-Gm-Message-State: AE9vXwPTntkjFj/jx1PSC++Q5WJzvBu3T3y5kXcd/s8T2lpJgQ7NJKvFlYe16gzizm5K6cx7TaL19hlPJ2/aNQ==
X-Received: by 10.107.168.70 with SMTP id r67mr12972700ioe.149.1474667088343; Fri, 23 Sep 2016 14:44:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.131.70 with HTTP; Fri, 23 Sep 2016 14:44:47 -0700 (PDT)
In-Reply-To: <DM5PR11MB1419384BB86D2C5F791DD1A1F4C80@DM5PR11MB1419.namprd11.prod.outlook.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <72011214.413503.1474650126973@mail.yahoo.com> <e24a06b8d0d04ccc80b9a55d83bf5606@usma1ex-dag1mb1.msg.corp.akamai.com> <DM5PR11MB141926C5806296FFD7252A45F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <CY1PR15MB0778E06B122413B7D0C9E796FFC80@CY1PR15MB0778.namprd15.prod.outlook.com> <DM5PR11MB1419384BB86D2C5F791DD1A1F4C80@DM5PR11MB1419.namprd11.prod.outlook.com>
From: Jeffrey Walton <noloader@gmail.com>
Date: Fri, 23 Sep 2016 17:44:47 -0400
Message-ID: <CAH8yC8=dCzLEsN8tJt+gOCwPGBMYugaEVpUzSJGBSx73hTdTRQ@mail.gmail.com>
To: BITS Security <BITSSecurity@fsroundtable.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Hf0qaHgZnguU_ShXTQgR1r-4kdA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2016 21:44:50 -0000

On Fri, Sep 23, 2016 at 5:34 PM, BITS Security
<BITSSecurity@fsroundtable.org>; wrote:
>> you can keep using TLS1.2 in your internal network, can't you?
>
> There are both public and private sector regulators arcing towards being more prescriptive in this area.  It is possible, if not likely, in the not too distant future that my member companies will not have the choice to "downgrade" to "obsolete" TLS versions.

Its not the first time C&A has worked against security.

Password complexity and rotation policies come to mind; they cause the
security in the system to drop as users are forced to comply.

Would a KMIP/KeyServer help? Hosts can ask the key server server for
its random key or seed material, and then use them key derivation and
for protocol execution. I built a proof of concept interception proxy
to do it a few years ago to help understand the intersection a service
like CipherCloud with C&A.

Jeff