Re: [TLS] TLS@IETF101 Agenda Posted

"Ackermann, Michael" <MAckermann@bcbsm.com> Tue, 13 March 2018 21:55 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F7E6126CD6 for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 14:55:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7tYZdmphe3E for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 14:55:30 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64760120454 for <tls@ietf.org>; Tue, 13 Mar 2018 14:55:29 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 69652C0E57 for <tls@ietf.org>; Tue, 13 Mar 2018 16:55:29 -0500 (CDT)
Received: from imsva1.bcbsm.com (inetmta03.bcbsm.com [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id 74AE5C0E55; Tue, 13 Mar 2018 16:55:28 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2ED9A92057; Tue, 13 Mar 2018 17:55:28 -0400 (EDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 01F0492053; Tue, 13 Mar 2018 17:55:27 -0400 (EDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (unknown [216.32.180.180]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Tue, 13 Mar 2018 17:55:27 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RhmUJeFAvxpz2hfJwjzNSmouAaMOhuAlu74hXOqkZLo=; b=rS06G6oVndyqUc8d7LJBG6kmDuF+emV11WWSIpOK18zsUEyHimSa+AyYhBbaGvA5lKxdPxrYpXIClIv8IiMACyqO5j3jaXVr3gS/lwN9SIQ328j4EfMPaD2/vmrmE/IJ6V5SIuEeWs+RBqau+NXO3kuZ2ZqR8O2KBgVxImchd7I=
Received: from BN7PR14MB2369.namprd14.prod.outlook.com (20.176.22.144) by BN7PR14MB2353.namprd14.prod.outlook.com (20.176.22.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue, 13 Mar 2018 21:55:25 +0000
Received: from BN7PR14MB2369.namprd14.prod.outlook.com ([fe80::b16b:85b4:3e2:e0a2]) by BN7PR14MB2369.namprd14.prod.outlook.com ([fe80::b16b:85b4:3e2:e0a2%13]) with mapi id 15.20.0548.021; Tue, 13 Mar 2018 21:55:25 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Ted Lemon <mellon@fugue.com>
CC: nalini elkins <nalini.elkins@e-dco.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] TLS@IETF101 Agenda Posted
Thread-Index: AQHTtvl3AKQ0q5ossES5J6XIA/Lf/qPGleQAgABgywCAAXVYgIAACUMAgACBv4CAAEcAAIAFASoAgAAMrwCAAA5/gIAAAfkAgAABAICAAAZagIAAAWsAgAAVGwCAABbqMIAAFF+AgAATVNA=
Date: Tue, 13 Mar 2018 21:55:25 +0000
Message-ID: <BN7PR14MB236992BD87B793558F26B1EDD7D20@BN7PR14MB2369.namprd14.prod.outlook.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <986797a7-81b0-7874-5f39-afe83c86635b@cs.tcd.ie> <CAOgPGoBYc7O+qmjM-ptkRkE6mRsOYgc5O7Wu9pm3drFp3TVa6Q@mail.gmail.com> <d7dfdc1a-2c96-fd88-df1b-3167fe0f804b@cs.tcd.ie> <CAHbuEH7E8MhFcMt2GSngSrGxN=6bU6LD49foPC-mdoUZboH_0Q@mail.gmail.com> <1a024320-c674-6f75-ccc4-d27b75e3d017@nomountain.net> <2ed0gc.p5dcxd.31eoyz-qmf@mercury.scss.tcd.ie> <d7ec110f-2a0b-cf97-94a3-eeb5594d8c24@cs.tcd.ie> <CAAF6GDcaG7nousyQ6wotEg4dW8PFuXi=riH2702eZZn2fwfLQw@mail.gmail.com> <CAPsNn2XCNtqZaQM6Bg8uoMZRJE+qQakEwvw8Cn9fBm-5H+Xn_A@mail.gmail.com> <3F8142DE-EADB-4AB9-A204-7D87ACDCD3E3@akamai.com> <CAPsNn2VE_7+rWT0fp9rrVnZrgcY7ORLWTee+kf_Av1dqm4CiDQ@mail.gmail.com> <CB55AABB-8937-4F6B-B5AC-B6F262F08A4F@akamai.com> <CAPsNn2U_xG28Tumo3oRkQ+6=BHzgv-6YtgNSpwvhdFFRWc7EQQ@mail.gmail.com> <2DC45296-244E-4C72-8B3C-DE47EADAC2DE@fugue.com> <BN7PR14MB23696A2767FF9C1A410110AFD7D20@BN7PR14MB2369.namprd14.prod.outlook.com> <090F06AF-371D-4B11-91AA-BD80C1ADB4E9@fugue.com>
In-Reply-To: <090F06AF-371D-4B11-91AA-BD80C1ADB4E9@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [165.225.39.65]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2353; 7:a6AZTXHqSH/ZpOKT+VO+DwuqxvlgJOfmhke+wMNlmbViB5PovfeMPWpI+SXYzfVZL7Inec5qZxh1gJh6Eh9sy31IKU0gcxK7LMkTQjO5dcJsD5+zVCjj88m0q15o5aqdMWiX8HQSk82ph8YShNJ0QiiBU97ObqVnDCj45br+U3KEQb9AbNa/Xo5dX3ymPzZvGZXqFmVQwoHrtxz4A+zS8IfFwTcl5xO01fzlH3rn4IXNKXq8WYyYcHeZqbwdJJpZ; 20:vFhpdfEN3pxZ/VXk3WREHR31a4+pIryCoU3e6zvwUzAQyfEUSucfT+PXc9RMqQZgA/W38U6ETBDCmYKeNGKp91s6uiJbkaHCok52dQQ3pqVbBh34eYjYGN9aYeA+4VmXyxJmvV1LLq88t7QyOTdfWRhxa3j4roW79tx6yg7lqFA=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: be5ac730-289d-4c04-5900-08d5892d2078
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(7168020)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2353;
x-ms-traffictypediagnostic: BN7PR14MB2353:
x-microsoft-antispam-prvs: <BN7PR14MB2353956AE6E78EEC147C5A03D7D20@BN7PR14MB2353.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(86572411397741);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231221)(944501244)(52105095)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:BN7PR14MB2353; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2353;
x-forefront-prvs: 0610D16BBE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(366004)(39860400002)(39380400002)(396003)(13464003)(51444003)(199004)(189003)(8936002)(7696005)(6506007)(186003)(72206003)(305945005)(93886005)(26005)(7736002)(2900100001)(81156014)(81166006)(3846002)(25786009)(102836004)(76176011)(53546011)(97736004)(55236004)(3280700002)(80792005)(86362001)(74316002)(59450400001)(14454004)(478600001)(99286004)(6116002)(2906002)(2950100002)(54906003)(68736007)(316002)(9686003)(6436002)(55016002)(8676002)(66066001)(6246003)(33656002)(3660700001)(53936002)(105586002)(106356001)(229853002)(4326008)(6916009)(5660300001)(5250100002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR14MB2353; H:BN7PR14MB2369.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4Zto8ofAKCI7qBn29g68FZkOcLnVyzGKXvxov+1Yu8kWMpDvtEymCM3w4KJhw2xlexI2EAakRVfWOg1Vz1YOIok3bHNmoRky2cVvs68um5YlkDs7Bz0C+0FZLSO/g0q/ZfWknfpIwatZ5UKzQx9J2gomQBOZYpqGnp9FGv6/Le1HQOvQeyL3C052oaS0eHwHPoVrq8aazLyiM8rMdc52dvMqeZxnicNEhUyxhorAM8firNv+8HzdGF+Lrd2dzef0yjLnKXLrZSCl8QZb1wFDszCA/2+nq/7xpFDHl93NSPi50MIa+B64MdpktXD0tj8PCZpBu+TeR4xe+vhgkbwG7w==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: be5ac730-289d-4c04-5900-08d5892d2078
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2018 21:55:25.3147 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2353
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: e37a3726-01b5-44d3-945e-933e864b1791
X-VPM-MSG-ID: 48c5ace6-35a9-43e3-9472-25ebaf58bdbc
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NPCeqvzJNiIFaqm8QdOWljP5k9A>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 21:55:33 -0000

I will pretty much repeat what I said below.   Significant fundamental infrastructure changes,  are very difficult for very large organizations to assimilate.   Because of time and resource issues,  large organizations would seek to avoid major, overhaul type changes,  wherever possible.    The larger the organization,  the more ominous such challenges become.   I am sure I am not telling you anything you do not already know.  
But,    "Not making any changes" does not fall into this category.  
The fact that Enterprises are finally coming to the IETF table,  should be sufficient to show the willingness to be involved,  flexible,  compromise and yes................. change as necessary.  
From the beginning,  many Enterprises have waned nothing more than to have their use cases accepted as valid,  by the IETF,  and to collaborate with the IETF SMEs,  on crafting optimal solutions.  
I guess I am personally  still naïve enough to believe this can occur.  

To keep using TLS1.2 has been proposed and discussed many times over the past year or so and is not acceptable for many reasons outlined in Steve Fenters draft.  So I will refer to that, rather than add repetition to the list.  But suffice to say it is well beyond PCI for most Enterprises.  



-----Original Message-----
From: Ted Lemon [mailto:mellon@fugue.com] 
Sent: Tuesday, March 13, 2018 4:28 PM
To: Ackermann, Michael <MAckermann@bcbsm.com>;
Cc: nalini elkins <nalini.elkins@e-dco.com>;; <tls@ietf.org>; <tls@ietf.org>;
Subject: Re: [TLS] TLS@IETF101 Agenda Posted

On Mar 13, 2018, at 3:20 PM, Ackermann, Michael <MAckermann@bcbsm.com>; wrote:
> I think that most Enterprises are not espousing any conversations "how can we avoid making any changes?"

With respect, Michael, when I have conversed with you about this in the past, that is precisely what you have asked for.   You do not want to have to change your operational methodology, and any change to TLS that forces you to change your operational methodology is unacceptable to you.  I understand why that is, and I sympathize, but let's please be clear that this is your precise goal.

> But we would seek to avoid unnecessary,  wholesale, infrastructure architectural changes.

There's an easy way to do this, although as a sometime bank security geek I would strongly advise you to not do it: keep using TLS 1.2.

Of course, you've also explained why that isn't acceptable to you—you are afraid that the payment card industry will eventually force you to use TLS 1.3, just as they have, rather ineffectively, tried to insist that you use TLS 1.2.

Now why would they do that?



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.