Re: [TLS] TLS@IETF101 Agenda Posted

Ted Lemon <> Tue, 13 March 2018 20:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E53E7126CE8 for <>; Tue, 13 Mar 2018 13:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E9M_-o2pitkS for <>; Tue, 13 Mar 2018 13:27:43 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 218AD126CD6 for <>; Tue, 13 Mar 2018 13:27:43 -0700 (PDT)
Received: by with SMTP id a23so1111719qtm.4 for <>; Tue, 13 Mar 2018 13:27:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=d3oZ18XcP9ZDAxJyQgjy3BTuBWl37mjcwmPNKjvF51w=; b=QVW2Aq85bHb4SyAyUna2oaLbcfAl8TyOgT7pYr3I7kZpidDebWO6QK/OlVvnDw76PY n2mbQg36/WSHR81pAXGFLkp9uqthkgj7yFVXHQEBNuWh7IGUthTGHw7NU+0cEssdAh0k 2rcVGQlnrxnrhbWcr2KMV8+ZC9/IHpfj9kWf/jLpecgSo7JJbEU7I6ie7wJEb2WfGkNA nvWQTZPtMvQGSUYY5p7KUQWIlBU3ywnvYnsHU6d3v81Gvqk62HKNU6MXvGxQZzZqBtCS ADNX3/JBSR0u/6TFHRG01SZL1D25TaizbQiuMs8dMxJ6tOvYm7OJyF6TzMsegXQizxV+ Mapg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=d3oZ18XcP9ZDAxJyQgjy3BTuBWl37mjcwmPNKjvF51w=; b=NPOn7zDO5lkkj5kzLsZ0X7V/ZIJBgPWi7NT0NVF/YHe51n3DruWBkcxKtACgUdW6ZB UetzZ7ARHbQUh0B49p9SY8BKO5uv3xUH6CIDt60UUSMkUkgd9ekZZmhpYnfc6WENBR13 dDtsvdzyFdtR3ua0hWKQnCtSHXWXOLA2PhfwSWnkdFaK1xlJ7HxTZiZ4lFSU1GSN3L+I bu+hQGmt0snp5rZX5emJiTA6CB1P3YD0WqR27LO1ki71738w/nXjk2JM38mJ70yS0L0b mJhK72EqvJi8jiOhS9ZE+SZq/ninqMxrgt58NiK/e13GVMbDAbROKvVlrE55Odv9OCEW BdQg==
X-Gm-Message-State: AElRT7GNnvEoN/uhCvRmyPz77thxjXgPoXoqiKeQhU+ZSXlScT74MbmP QOo7XYwqFw8kQojC5AqO8bK1iA==
X-Google-Smtp-Source: AG47ELvKgTgAg4ii5AV2EGDZqonnYDN9b3iuir1B/9tS5wOyJyYJkXq2ddCanxyj9RTAZl2yEWMwhg==
X-Received: by with SMTP id g11mr3243275qtk.53.1520972862019; Tue, 13 Mar 2018 13:27:42 -0700 (PDT)
Received: from cavall.lan ( []) by with ESMTPSA id f197sm405999qka.3.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Mar 2018 13:27:40 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Ted Lemon <>
In-Reply-To: <>
Date: Tue, 13 Mar 2018 16:27:39 -0400
Cc: nalini elkins <>, "<>" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
To: "Ackermann, Michael" <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Mar 2018 20:27:45 -0000

On Mar 13, 2018, at 3:20 PM, Ackermann, Michael <> wrote:
> I think that most Enterprises are not espousing any conversations "how can we avoid making any changes?"

With respect, Michael, when I have conversed with you about this in the past, that is precisely what you have asked for.   You do not want to have to change your operational methodology, and any change to TLS that forces you to change your operational methodology is unacceptable to you.  I understand why that is, and I sympathize, but let's please be clear that this is your precise goal.

> But we would seek to avoid unnecessary,  wholesale, infrastructure architectural changes.

There's an easy way to do this, although as a sometime bank security geek I would strongly advise you to not do it: keep using TLS 1.2.

Of course, you've also explained why that isn't acceptable to you—you are afraid that the payment card industry will eventually force you to use TLS 1.3, just as they have, rather ineffectively, tried to insist that you use TLS 1.2.

Now why would they do that?