Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 22 October 2017 19:38 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B397F13AC06 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 12:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJZ5WYsLy_4B for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 12:38:09 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E7813AC09 for <tls@ietf.org>; Sun, 22 Oct 2017 12:38:09 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id n61so23829630qte.10 for <tls@ietf.org>; Sun, 22 Oct 2017 12:38:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YBkID9qE1FZgDnezjWSgfsZNTk8NRDbnZ+L0vh8Bzdg=; b=lGuep+YyYBLFbTzZyAFZTd8aJ+qst6+1qVTj4NtZPK/XKTkRWsJxXPzkpkV63xFjIJ 42rI+2663ftHEi+ygYEk0GsfyrUHNa+v4jywgTJDBkI4mafUxbpj4OoqIPOo2vJTU/Ot tC5lkD5ObRv6G18/EJcSXwcfgZRnDFJ23nh+nX3cxFRY079Wxc0Fk0g+kel6epPMZecF 807uv1YRRUObwIURAovEN97X6k+zq9wXH69JLoG4GcfHhdPzVnlmVLBt0WEq5pA4WRqX RToA9C7Qhxc0ftUzzSwLXJAS6EfFupJc+C8nZWGtPxGkY1KMWOq5W3Pg0oYhgNEdlS0N 8mtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YBkID9qE1FZgDnezjWSgfsZNTk8NRDbnZ+L0vh8Bzdg=; b=Jwzc/+xt8xLn/NaR5b7MpycQKcOZZcg9NhwzfhyPPf1kuS7jk67te4TSApuA7yKBWS j+SiWtPP5PiX2rRPKyiKcOkmxx84TQNDUQC4GTHAa46OuNPQDkT/MrJqs0dR+TkcnMtx woF094+rncpPZQ+0Y8pnF2+A4r5xXEunSXLGC87LbwXwfOp2dM24WF6Zwlrw35tB5NcQ ZwZQq8rXg47CkpEL9F4tTuArpMV8n+CVu7D/M4X7zKI4olomE4h+ZzenXnt+fCTanf1X crYjOQxeSMwL4wtcwq9XkmZL40iB7f1nC4RZhs0BXhrnaw+87YvsKpTpxZ0qvY1UaUAi cduA==
X-Gm-Message-State: AMCzsaUPt1yWkhiO7EJtOdvZjrSAdJoUGZ+zrF4AGweZGhTpEGXdRAVB lWTa+Amrsv3lpSP6obi2g/c=
X-Google-Smtp-Source: ABhQp+SxLI2iQ5ApGcnIP0ElyYHsQdQm4fcijLjGnHpqQg+ZwfzV6/ZyVMfvO3itS0H+p2nXFmRIKA==
X-Received: by 10.200.35.173 with SMTP id q42mr16596823qtq.199.1508701088681; Sun, 22 Oct 2017 12:38:08 -0700 (PDT)
Received: from ?IPv6:2600:380:bd1d:d4a6:b94a:696e:35cb:921f? ([2600:380:bd1d:d4a6:b94a:696e:35cb:921f]) by smtp.gmail.com with ESMTPSA id i27sm3861541qtc.91.2017.10.22.12.38.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Oct 2017 12:38:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-7BBC16B9-A403-4411-833F-C4708989D4E5
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <86A43E91-7393-4891-9E5D-9DD385119E64@gmail.com>
Date: Sun, 22 Oct 2017 15:38:07 -0400
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <57740E2D-0E53-4586-A5E3-F3E6B7DCA87E@gmail.com>
References: <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII> <CAHOTMVJXiQqMGPfRy=z2=3D60L08BURrOxSAgGdH8_TCO6Hr8g@mail.gmail.com> <422F0052-D5C8-48ED-ACE6-05C9C2065AF9@vigilsec.com> <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com> <86A43E91-7393-4891-9E5D-9DD385119E64@gmail.com>
To: Ted Lemon <mellon@fugue.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/POhb9Vl0MRoZooqIyBLqXGuP0Qs>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 19:38:12 -0000


Sent from my iPhone

> On Oct 22, 2017, at 3:24 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; wrote:
> 
> 
> 
> Sent from my iPhone
> 
>> On Oct 22, 2017, at 2:40 PM, Ted Lemon <mellon@fugue.com>; wrote:
>> 
>>> On Oct 22, 2017, at 1:54 PM, Russ Housley <housley@vigilsec.com>; wrote:
>>> No one is requiring TLS 1.3 that I know about.  However, there are places that require visibility into TLS.  I will let one of the people that works in a regulated industry offer pointers to the documents.
>> 
>> What they require is visibility into contents of the flow that they are using encryption to protect.   Right now, the protocol they are using is TLS 1.1 or TLS 1.2.   The right thing for them to do if they continue to need this visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE, or some protocol that is designed for this use case, not to take a protocol designed specifically for securing flows from on-path eavesdropping and create a mode where it is easier to wiretap.
>> 
>> There is no reason other than momentum for them to switch to TLS 1.3 when it doesn't address their use case.
> 
> With no hat, I agree.
> https://www.rsa.com/en-us/blog/2017-08/tls-security-and-data-center-monitoring-searching-for-a-path-forward
> 

I should note that I have not read the new draft yet.  These threads keep me busy.
> Kathleen 
> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls