Re: [TLS] Industry Concerns about TLS 1.3

"Salz, Rich" <> Fri, 23 September 2016 19:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E56CC12B00B for <>; Fri, 23 Sep 2016 12:08:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.017
X-Spam-Status: No, score=-5.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kKGL0geXSDLW for <>; Fri, 23 Sep 2016 12:08:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8604B12B09C for <>; Fri, 23 Sep 2016 12:08:20 -0700 (PDT)
Received: from (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id F3F80433487; Fri, 23 Sep 2016 19:08:19 +0000 (GMT)
Received: from ( []) by (Postfix) with ESMTP id C421B433483; Fri, 23 Sep 2016 19:08:19 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a1; t=1474657699; bh=M1xL5iTxfgYvqJDWojkKYNydu2mbyS+XnletUY5a3WM=; l=2882; h=From:To:CC:Date:References:In-Reply-To:From; b=0NLVP7BqQ5FgY3c9ME024vX20s5BWMlIJDN1E9bgju1hZ9lW8RqADGYJdXN3zwebC Y6WJpIhSX/PctednZFbMqiNRHZLk/jEuWz3PoB0SnO5D0Aarc3rHNnnnmzbFTXd8ov fuh3/7pmxoY2RZjWalzH4t5QZ97/qZZjduFJDvq4=
Received: from ( []) by (Postfix) with ESMTP id B28D41FC8C; Fri, 23 Sep 2016 19:08:19 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 23 Sep 2016 15:08:19 -0400
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Fri, 23 Sep 2016 15:08:19 -0400
From: "Salz, Rich" <>
To: "" <>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Date: Fri, 23 Sep 2016 19:08:18 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Sep 2016 19:08:23 -0000

> It would be very interesting to get the network diagnostic and operations people (rather than the architects) of the above companies involved in this conversation.

Nothing has ever stopped them.  Never. Participation is as simple as joining a mailing list.  The IETF has been doing SSL and TLS for nearly 20 years.  It is not a secret.  It was incumbent on them to reach out and get involved.   

> Why don't we listen to each other?   I know at IETF, I often hear that we don't get enough operators to comment and give feedback.  Well, here you have some.  It may be that these companies have problems that are different from Google's (just as an example).

Don't try to equate "listen to each other" with "meet my requirement."  The message has been stated, very clearly, from individuals, WG members, through document editors and WG chairs and up to Security Directors:  static RSA is not coming back to TLS 1.3 .  Since before the last IETF this was the message, consistently.  So perhaps you should answer the question first -- why aren't *you* listening? :)

PFS is also possible in TLS 1.1 and later.  What does, say USBank, do to prevent PFS in their existing deployment?  Why won't additional controls to prevent TLS 1.3 and its mandatory PFS be expected to work here as well?  So far all I've seen is "maybe there's bugs in TLS 1.2 and we'll be forced to move to TLS 1.3"  Shrug.  There are bugs everywhere.   Maybe there's bugs in TLS 1.3 too.

Look, pretty much the entire world is being spied on by national-scale adversaries who are recording all traffic for eventual decryption and correlation.  *Almost everyone* is having their traffic surveilled. The problems of debugging a set of enterprise apps doesn’t amount to a hill of beans in that world. It just doesn't. Same for a particular industry's regulatory requirements. 

> Isn't our goal to have the best standards possible?   Any organism (including the IETF), needs feedback to thrive.

Oxygen, coke, and cookies too.

Senior Architect, Akamai Technologies
IM: Twitter: RichSalz