Re: [TLS] Industry Concerns about TLS 1.3

Melinda Shore <> Thu, 29 September 2016 00:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E478E12B010 for <>; Wed, 28 Sep 2016 17:50:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WiqyPkCfwLOo for <>; Wed, 28 Sep 2016 17:50:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ACE9612B01C for <>; Wed, 28 Sep 2016 17:50:19 -0700 (PDT)
Received: by with SMTP id s13so22646268pfd.2 for <>; Wed, 28 Sep 2016 17:50:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=35gP0/fm/7ct5xZ5cySdrAtCCvmODNPjPuAmTD+oqJU=; b=NRsGiHmgizUnjihItOsiaK0mGfJ3Nzg4fs82M2vp3jR46pfhGBBDJm/Rztuz7LGM7h /KPyiOvqzMYkAAwk+qFprr11nq7QJqVGi4fdwPVA5lAkC3Kl3iZ6bMu09rCfsdYHM4xG pubOw7oT0FpgmdQPQgE+ik+eEW/AC14JRjlUotrriVBm1wy8d7n2vQUgOuJ+txSED7YU C9hD1O2chxZSsyLWtyYUUdsVCSii1TNFSKA9SzYGLS7+WiwcIxv+Be0MtZKxtYx1nRx5 LqsNDScfexMJlhWsMLMkkWZenEkWnQiOHwEb2mXorxv80gjkG00+OLT3i0AheiJlEaCw ZhGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=35gP0/fm/7ct5xZ5cySdrAtCCvmODNPjPuAmTD+oqJU=; b=ix61ctmrebVit5U6eQAfVEH8od5Eo27Ut6wfUuj+AyFfj5hqo+lam7ZUhWYopSicvQ Rk41wZS7Z+PCw6HGfC1FsA6bBVpc2pZaWURyPIeZber5rIIDzc62MtWaJNOTqArjdN0y iHu0aE48pncpyHlZmsKii3NqxVgCmYv0GyZMBj4SoJFzeQdAJEBjVHab/fsgAYRJbAfl WHeWXobAp/gbnLEk+UBA9coyHQbjiw9FE6o0pTl93jUIOl0/7nSrTfUVBpwisvBLri9S e9tiw8S2IUBcDrtiEaTZRXVC4wXlbJQ2PegLPOXRYdChr4yqLJh5kfNeH2fdsszxnwIH 9iEw==
X-Gm-Message-State: AE9vXwOlAz3idsk5AMSnGrI4xwo9tXI6siXbmuMrz5yalWrx9m2b01VJAuWYk9YqIxcfYA==
X-Received: by with SMTP id a133mr61808537pfa.167.1475110219197; Wed, 28 Sep 2016 17:50:19 -0700 (PDT)
Received: from Melindas-MacBook-Pro.local ( []) by with ESMTPSA id h82sm15127290pfh.22.2016. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Sep 2016 17:50:18 -0700 (PDT)
To: Tony Arcieri <>
References: <r470Ps-10116i-D1400872992D4A999C16CBD8D0E8C6D1@Williams-MacBook-Pro.local> <> <>
From: Melinda Shore <>
Message-ID: <>
Date: Wed, 28 Sep 2016 16:49:55 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="B3nmN6R65OaHXHqb3bOMUoJpPTTBXEHot"
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Sep 2016 00:50:22 -0000

On 9/28/16 4:36 PM, Tony Arcieri wrote:
> The IETF is doing great work. This entire thread is a distraction, and I
> hope it does not result in changes which weaken TLS 1.3's security.

I think it's quite clearly the case that that is not going to happen.
But, that doesn't mean that these guys don't have a problem worth
addressing, even if they're asking for a crap solution to it.  The
IETF is an insular organization and I tend to think that leads to
poorer outcomes in some cases than we might otherwise have produced.

I am not suggesting that his request for a protocol that he
can break needs serious consideration, but that the fact that he's
come up with an unacceptable solution to a problem that he's
identified doesn't mean that the problem either doesn't exist or
is completely outside the IETF's scope.

All that's going to come out of discussion here is unhelpful
and largely redundant finger-wagging.  I think these guys ought
to write up the problem they've got and post a draft.