Re: [TLS] Industry Concerns about TLS 1.3

"Salz, Rich" <rsalz@akamai.com> Sun, 25 September 2016 02:09 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42F612B0B1 for <tls@ietfa.amsl.com>; Sat, 24 Sep 2016 19:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.017
X-Spam-Level:
X-Spam-Status: No, score=-5.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPbuBIWa-HZn for <tls@ietfa.amsl.com>; Sat, 24 Sep 2016 19:09:51 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id 33F4612B0A1 for <tls@ietf.org>; Sat, 24 Sep 2016 19:09:51 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id CB392496C53; Sun, 25 Sep 2016 02:09:49 +0000 (GMT)
Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id B51CB496C40; Sun, 25 Sep 2016 02:09:49 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1474769389; bh=l/9B4ZHZgJMM9XjId4OohZdYWpY+Ewcrf3uBokox8Cg=; l=965; h=From:To:Date:References:In-Reply-To:From; b=L+JXY5kzE2tGQfo7OLOeAe7vW155nNnjSIm7Tqz2SDLOEmtMDBLz/BVn9oSt3xI39 LGAos/rrwMECk9H2zq6AEw1Tazf+72VjDwnIsAc3Y/pLY04wYE2qGmnXG9nHWZHZ0G JMouK8X32ia+8jDP49YLIO9UbcCoLXyTL9+5+Qj8=
Received: from email.msg.corp.akamai.com (usma1ex-cas2.msg.corp.akamai.com [172.27.123.31]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id 9B6EB1E080; Sun, 25 Sep 2016 02:09:49 +0000 (GMT)
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 24 Sep 2016 22:09:48 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Sat, 24 Sep 2016 22:09:48 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>, Pawel Jakub Dawidek <p.dawidek@wheelsystems.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AdIU8WqWM9WBapZoQzyfqxiOaK25fQADrwVgACSrSIAADgIdgAAAS/+AAAFEjIAAAGtwAAACR/qAAB2DyYAAGiTbAAAFaV2g
Date: Sun, 25 Sep 2016 02:09:47 +0000
Message-ID: <b24efbbb594040e794f7513b7e62b3c7@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC6CAC@PWN401EA120.ent.corp.bcbsm.com> <fd4ad423-3614-5330-b687-1b5848e839f0@wheelsystems.com> <4FC37E442D05A748896589E468752CAA0DBC9732@PWN401EA120.ent.corp.bcbsm.com>
In-Reply-To: <4FC37E442D05A748896589E468752CAA0DBC9732@PWN401EA120.ent.corp.bcbsm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.46.163]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/J8obwhianQxEez7oGFXAICFfZ1w>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 02:09:53 -0000

>   This lack of scope, depth and detail [in MITM infrastructures] are what drove us to
> install the packet collection infrastructures (debugging networks I think some
> are saying).

At the risk of repeating myself and flogging this dead horse...  What you are doing is exactly what the nation-state actors are doing.  I bet that some even use that exact phrase of "packet collection infrastructure." 

I understand that if you want to use TLS 1.3, it is going to be expensive and/or inconvenient; you're going to have to educate regulators and get bespoke TLS endpoint solutions from vendors. Perhaps you can get the NSA's to stop collecting everyone's Internet traffic for future decoding?

Less flippantly, what specifically would you have us do? What do you want in the protocol that enables your needs, but doesn't make it possible for everyone in the world to be surveilled?  Please, make some specific suggestions.