IETF Logo Mail Archive

Re: [TLS] TLS@IETF101 Agenda Posted

"Salz, Rich" <rsalz@akamai.com> Tue, 13 March 2018 22:39 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B42E126DFB for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 15:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikjnQMxAJG2p for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 15:39:04 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2599127023 for <tls@ietf.org>; Tue, 13 Mar 2018 15:39:04 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w2DMcLsb029927; Tue, 13 Mar 2018 22:39:02 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=YFsh2g2wSjvJi1nEa+N3Tz9jGFjARweaCQblEwtrCmA=; b=nAL6/RpuzWTQpnLoYj6PX/GsEJG48P2qi4ZOjbZtzK37afzCkGQwd7bvvpC3WvhqYBOu dj3aMO6jGC6W9Vs2LDUjDE4pm+hmW46/ood97HUF6EdBqNDt7bZa/ACNz+Lz4X9gK+S/ xygzb6r9oQZF2WC0TqCqoKLesOVW7RNRRmiklCeQtGUvbFpghdyz1ctcp7s/vXdyD1sb D5qCpjE520tIg4dH24c+I4ICS/Qf1WKjNrVFKlLpvU9OomVwwTDU6QCgpscyp0MC3orG e/Lungy5xJDcWUUdMvHie1Z3xF/VCqjTczF28hV9PbDIMFCWoC1+My3rOkJixtK9J/Su 3Q==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050095.ppops.net-00190b01. with ESMTP id 2gm7s83333-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Mar 2018 22:39:02 +0000
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w2DMZxJB004244; Tue, 13 Mar 2018 18:39:01 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.53]) by prod-mail-ppoint4.akamai.com with ESMTP id 2gmbk1969a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 13 Mar 2018 18:39:01 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 13 Mar 2018 18:38:46 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Tue, 13 Mar 2018 18:38:46 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>, Ted Lemon <mellon@fugue.com>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] TLS@IETF101 Agenda Posted
Thread-Index: AQHTtvl2jdjB7/0TLECBbBkkzUJLO6PG6bYAgABgygCAAXVYgIAACUMAgACBwICAAEcAAIAE8GYAgAAMrwCAAA5/gP//vtmAgABEIID//8M5gIAARI0AgAAVGgCAABigAIAAEqmAgAAYhYD//8j9gA==
Date: Tue, 13 Mar 2018 22:38:45 +0000
Message-ID: <AA10145F-DCB5-46C2-ACAA-EF49B618420B@akamai.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <986797a7-81b0-7874-5f39-afe83c86635b@cs.tcd.ie> <CAOgPGoBYc7O+qmjM-ptkRkE6mRsOYgc5O7Wu9pm3drFp3TVa6Q@mail.gmail.com> <d7dfdc1a-2c96-fd88-df1b-3167fe0f804b@cs.tcd.ie> <CAHbuEH7E8MhFcMt2GSngSrGxN=6bU6LD49foPC-mdoUZboH_0Q@mail.gmail.com> <1a024320-c674-6f75-ccc4-d27b75e3d017@nomountain.net> <2ed0gc.p5dcxd.31eoyz-qmf@mercury.scss.tcd.ie> <d7ec110f-2a0b-cf97-94a3-eeb5594d8c24@cs.tcd.ie> <CAAF6GDcaG7nousyQ6wotEg4dW8PFuXi=riH2702eZZn2fwfLQw@mail.gmail.com> <CAPsNn2XCNtqZaQM6Bg8uoMZRJE+qQakEwvw8Cn9fBm-5H+Xn_A@mail.gmail.com> <3F8142DE-EADB-4AB9-A204-7D87ACDCD3E3@akamai.com> <CAPsNn2VE_7+rWT0fp9rrVnZrgcY7ORLWTee+kf_Av1dqm4CiDQ@mail.gmail.com> <CB55AABB-8937-4F6B-B5AC-B6F262F08A4F@akamai.com> <CAPsNn2U_xG28Tumo3oRkQ+6=BHzgv-6YtgNSpwvhdFFRWc7EQQ@mail.gmail.com> <2DC45296-244E-4C72-8B3C-DE47EADAC2DE@fugue.com> <BN7PR14MB23696A2767FF9C1A410110AFD7D20@BN7PR14MB2369.namprd14.prod.outlook.com> <090F06AF-371D-4B11-91AA-BD80C1ADB4E9@fugue.com> <BN7PR14MB236992BD87B793558F26B1EDD7D20@BN7PR14MB2369.namprd14.prod.outlook.com>
In-Reply-To: <BN7PR14MB236992BD87B793558F26B1EDD7D20@BN7PR14MB2369.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.a.0.180210
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.35.47]
Content-Type: text/plain; charset="utf-8"
Content-ID: <21DE30A9789735489A78A9E6B1D26812@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-13_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803130249
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-13_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803130249
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K8cIwaf2pTG4fkaY0ZG3v0U3YkU>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 22:39:06 -0000

So I re-read Steve's document.

>    To keep using TLS1.2 has been proposed and discussed many times over the past year or so and is not acceptable for many reasons outlined in Steve Fenters draft.  So I will refer to that, rather than add repetition to the list.  But suffice to say it is well beyond PCI for most Enterprises.  
   
So I re-read Steve's document.  This is what it says about TLS 1.2

   TLS 1.2 [RFC5246] is not a long term option for enterprises.  The RSA
   key exchange is gradually being removed by vendors as a TLS 1.2
   option. For example, mobile devices have been seen to send TLS 1.2
   Client Hello's with no RSA key exchange options.  There is also the
   risk that new vulnerabilities and weaknesses will be discovered with
   TLS 1.2 and/or RSA that will accelerate its removal by other vendors.

   When significant vulnerabilities were found in SSL and early TLS in
   late 2014 (including POODLE), it took the PCI Security Standards
   Council less than a year to require a migration plan away from these
   SSL/TLS versions (PCI Information Supplement: Migrating from SSL and
   Early TLS).  Enterprises are at risk that vulnerabilities could be
   found in TLS 1.2 or in the RSA key exchange, and that PCI will
   require upgrade to TLS 1.3.  There is no guarantee that TLS 1.2 will
   be available many years into the future.

We have an assertion. A general claim that it's being removed, supported by an observation that one or more mobile devices only do PFS.  Worries about a possible risk being discovered in TLS 1.2 and static-RSA.  That first paragraph contains very few facts, doesn't it?

The second paragraph talks about how quickly PCI DSS moved. As a counterpoint, how quickly did they move to delay TLS 1.0 when organizations pushed back?   SSL3 was "safe" to remove.  So far they can't even follow industry best practices and remove TLS 1.0!  The last part of the paragraph repeats the previous concern and adds nothing new. (To be fair, they are three pages apart.)

So yes, let's discuss in detail why TLS 1.2 isn't acceptable because, from what I see, you haven't made the case.

v2.23.0 | Report a Bug | By Email