Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Yoav Nir <ynir.ietf@gmail.com> Mon, 23 October 2017 03:58 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E214213D288 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 20:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVKrzrU3hWLt for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 20:58:58 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDAC713D28B for <tls@ietf.org>; Sun, 22 Oct 2017 20:58:57 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id u138so6842452wmu.5 for <tls@ietf.org>; Sun, 22 Oct 2017 20:58:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=2g5Rw2iLGGpsPcfN9UjpZtysVPE9xSchTUNre3FirXg=; b=VNA4PRHymKG76D/pVoyO6BNJLssnDUdQEKzj45gDPe1ypzHxeOiLDdAbTBGmcTCNNV fThj1wCX7KRrzSA8ALsj2UScOSUwlXQ17eRJXYBgCKEQugV4dlz2bQougOVXlCdoPRGJ DOJVQ9tOmqC43hneOnIigxfscjL//aZ84OSZTqRlMpdarbl6QJdEqyAXmbcO9+Xem9xa X+AmdQbOhmPeeRCSeG40bL/QhLUYur5m2esK7WVpslE8JiTHolw+T5bsw4j6MHPpTNl9 SzU8YeaPLFuDonDUg7orj1VclY+yv0M8YpMyw43ij3MXFWyn3d1qXKHTJb4SSqQ9YX3/ MeqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=2g5Rw2iLGGpsPcfN9UjpZtysVPE9xSchTUNre3FirXg=; b=lfIjc5ekgmGhMihmmCfQ7Zm8Wr7KfIjRi2xlF3IGG5bo9vUuhZ/nwwRzBck83c6knO fMfHi15a6nm+MwywoL62tLpSTNI/ah5vi8ER3ppmQ/gwyQx5IuazE/5sGK5vw4ff0T/x 3cRagoZqNi0vZqntm0s+16bzonvNGygFNtA+o5KCiwaGMh7QXuwBVPIiVMj/C88DgIhC WjG9vGLUOFXfTaWVpXvDgcAacRIlH7VJkUoMHPnXBFmAHrPjWgU8D8amPkmQNILP2P3E qWMwjZONIvlHufoZALScfwDx9MNgqoR1dVmd/1Nu6P4k9tgqGPLFpT6anGWQEiR3pugo 3BVA==
X-Gm-Message-State: AMCzsaWMgUhhOo0Cr2WbVbaNecXYv1pvOp1TkiTbeiyLOSgTRu9P1Jz1 6ua09+Cb1s94vix2BidFanST2/4p
X-Google-Smtp-Source: ABhQp+QfS0Dqk1qpvDkKVhW9OwGpxP5KsQyptCoPP1BkXT7WwuDWctVzfx5BxDY1FfqMVKCTanOyLA==
X-Received: by 10.80.201.12 with SMTP id o12mr14582970edh.98.1508731136408; Sun, 22 Oct 2017 20:58:56 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id s6sm6845368edd.23.2017.10.22.20.58.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Oct 2017 20:58:55 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <1A650F4C-A6DC-418C-A693-6056F4D8F9C2@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_7DA8E47A-AD9E-4CF2-A13E-6AFC8670998E"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.7\))
Date: Mon, 23 Oct 2017 06:58:52 +0300
In-Reply-To: <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
To: Ted Lemon <mellon@fugue.com>
References: <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII> <CAHOTMVJXiQqMGPfRy=z2=3D60L08BURrOxSAgGdH8_TCO6Hr8g@mail.gmail.com> <422F0052-D5C8-48ED-ACE6-05C9C2065AF9@vigilsec.com> <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
X-Mailer: Apple Mail (2.3445.1.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UuejVnqBw79ReCQhFqVcNd_Azqg>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 03:59:00 -0000


> On 22 Oct 2017, at 21:40, Ted Lemon <mellon@fugue.com>; wrote:
> 
> On Oct 22, 2017, at 1:54 PM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> No one is requiring TLS 1.3 that I know about.  However, there are places that require visibility into TLS.  I will let one of the people that works in a regulated industry offer pointers to the documents.
> 
> What they require is visibility into contents of the flow that they are using encryption to protect.   Right now, the protocol they are using is TLS 1.1 or TLS 1.2.   The right thing for them to do if they continue to need this visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE,

Right, and shamelessly plugging my working group, I2NSF has recently adopted a draft ([1]) that is aimed at enabling and automating the deployment of IKE/IPsec in the datacenter.

> or some protocol that is designed for this use case, not to take a protocol designed specifically for securing flows from on-path eavesdropping and create a mode where it is easier to wiretap.
> 
> There is no reason other than momentum for them to switch to TLS 1.3 when it doesn't address their use case.

[1] https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-03