Re: [TLS] TLS@IETF101 Agenda Posted

"Ackermann, Michael" <MAckermann@bcbsm.com> Tue, 13 March 2018 16:59 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23F3E127978 for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 09:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vL7iEQSPyhZ for <tls@ietfa.amsl.com>; Tue, 13 Mar 2018 09:59:02 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC267127775 for <tls@ietf.org>; Tue, 13 Mar 2018 09:59:01 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 506A31C0B94 for <tls@ietf.org>; Tue, 13 Mar 2018 11:59:01 -0500 (CDT)
Received: from imsva2.bcbsm.com (inetmta04.bcbsm.com [12.107.172.81]) by mx.z120.zixworks.com (Proprietary) with SMTP id F12571C0B82; Tue, 13 Mar 2018 11:58:59 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A0801FE066; Tue, 13 Mar 2018 12:58:59 -0400 (EDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3184EFE05C; Tue, 13 Mar 2018 12:58:59 -0400 (EDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (unknown [216.32.181.18]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Tue, 13 Mar 2018 12:58:59 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TOAXKjlHVDce7XlM5NzeDl6LN3DcqMwr84W0h8BGaUs=; b=n0gUdGEo7vhcOd3hOK4av9BO96lCqXCwpWFMnqjo6YYw2hLCB0RfevKCsbO9h6wedIeQdtT1Q3zD6E3GNnb+kB/33rJoO9lk8ZhbWNvm/szmQOiux1gR+HI2X4RrUizDI5gI9eQVyAORbgWtfgwBJsostFaWgEpiTrIe08D2YPw=
Received: from BN7PR14MB2369.namprd14.prod.outlook.com (20.176.22.144) by BN7PR14MB2212.namprd14.prod.outlook.com (20.176.17.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue, 13 Mar 2018 16:58:56 +0000
Received: from BN7PR14MB2369.namprd14.prod.outlook.com ([fe80::b16b:85b4:3e2:e0a2]) by BN7PR14MB2369.namprd14.prod.outlook.com ([fe80::b16b:85b4:3e2:e0a2%13]) with mapi id 15.20.0548.021; Tue, 13 Mar 2018 16:58:56 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: nalini elkins <nalini.elkins@e-dco.com>, =?utf-8?B?Q29sbSBNYWNDw6FydGhhaWdo?= <colm@allcosts.net>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] TLS@IETF101 Agenda Posted
Thread-Index: AQHTtvl3AKQ0q5ossES5J6XIA/Lf/qPGleQAgABgywCAAXVYgIAACUMAgACBv4CAAEcAAIAFASoAgAAMrwCAAA5/gIAAELpg
Date: Tue, 13 Mar 2018 16:58:56 +0000
Message-ID: <BN7PR14MB2369DB93B35F98E2409C530FD7D20@BN7PR14MB2369.namprd14.prod.outlook.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <986797a7-81b0-7874-5f39-afe83c86635b@cs.tcd.ie> <CAOgPGoBYc7O+qmjM-ptkRkE6mRsOYgc5O7Wu9pm3drFp3TVa6Q@mail.gmail.com> <d7dfdc1a-2c96-fd88-df1b-3167fe0f804b@cs.tcd.ie> <CAHbuEH7E8MhFcMt2GSngSrGxN=6bU6LD49foPC-mdoUZboH_0Q@mail.gmail.com> <1a024320-c674-6f75-ccc4-d27b75e3d017@nomountain.net> <2ed0gc.p5dcxd.31eoyz-qmf@mercury.scss.tcd.ie> <d7ec110f-2a0b-cf97-94a3-eeb5594d8c24@cs.tcd.ie> <CAAF6GDcaG7nousyQ6wotEg4dW8PFuXi=riH2702eZZn2fwfLQw@mail.gmail.com> <CAPsNn2XCNtqZaQM6Bg8uoMZRJE+qQakEwvw8Cn9fBm-5H+Xn_A@mail.gmail.com>
In-Reply-To: <CAPsNn2XCNtqZaQM6Bg8uoMZRJE+qQakEwvw8Cn9fBm-5H+Xn_A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [165.225.39.74]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2212; 7:QNTSa1FpVUtkBKM1sH2/I/iDUfiyA/YMRxJb+DhTOq83n9N/fZthS/H/AawZy/gh9S1EmEbdWKKg82lelNzw2D9h+tlkMgcya1znk4rMu2S5vBRulahmCZU816L5yH1Df8Cu0rUiCoEluG2uphjLzh4ftfcbvSWmGCXLTUuRIxzrG8fpKquiFOtT3OJxG7lNTPi60GBLIAFwEg6qPSra1oxFOtXNt1h4O6BCr8SmzW26SuPWD8kpW9rfen9aL+/7; 20:ATTKI2dSAhCxypaepBWWioY0NQULvLz+yBZ135mmcwg0sr+v3p1C3N8SSVGVfwnf01pWtPS9ootkkup74xmOP4OIRO1ltqxuJWEgxwbPq80WqluMkMCdj8s1gjZ74y6sNoOp6qO+QUwycCs6iSs/bdSm9by/oY1TfhLUPQIgGpE=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 073ab4aa-a262-4532-ebc3-08d58903b595
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(7168020)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2212;
x-ms-traffictypediagnostic: BN7PR14MB2212:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-microsoft-antispam-prvs: <BN7PR14MB2212431AFCCB2F5AB9D4FE8ED7D20@BN7PR14MB2212.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(32856632585715)(278428928389397)(120809045254105)(192374486261705)(100405760836317)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231221)(944501244)(52105095)(6041310)(20161123560045)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011); SRVR:BN7PR14MB2212; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2212;
x-forefront-prvs: 0610D16BBE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(39380400002)(39850400004)(366004)(189003)(199004)(229853002)(4326008)(3846002)(606006)(8936002)(790700001)(3660700001)(105586002)(106356001)(2900100001)(5660300001)(6116002)(66066001)(1680700002)(72206003)(5250100002)(966005)(3280700002)(14454004)(2950100002)(81166006)(8676002)(81156014)(6306002)(478600001)(54896002)(7736002)(9686003)(6436002)(236005)(68736007)(53936002)(6246003)(2906002)(102836004)(7696005)(53386004)(25786009)(99286004)(110136005)(186003)(97736004)(80792005)(316002)(561944003)(86362001)(33656002)(74316002)(76176011)(26005)(55236004)(53546011)(6506007)(59450400001)(93886005)(19609705001)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR14MB2212; H:BN7PR14MB2369.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: w8Sy7l3QrM3yCrrTzHGmw6CCEk12ch/PhQL60GTrTpz8y1sWH0x8Efm21wzFCJvyxF4UvGEJIHizT4Q5Uvtwqk9Jf+AwQHu37SyrblTsteEmd03fMNSYZtAkxeO0JFMZbj4KwnMmfLZvvCm9FcjGURSEV+qqHfYGoo3c7+OX24cXgjetMJpTbVolGhXmwp7Xa15vYfJK1paFkWtbHKcYEEm2UoUTINi6XXDMJ/huoJB6ZZZiQ/AHz1AKt3NPe6DlGqLAZzoemOKt4frNeKiQWecq6cJuocAetyDDLox4aNnSQ4eBN+M5+ExzG8//fOaEaM6Z8ZQGzjXgn7hruCXNhQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN7PR14MB2369DB93B35F98E2409C530FD7D20BN7PR14MB2369namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 073ab4aa-a262-4532-ebc3-08d58903b595
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2018 16:58:56.6732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2212
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: ab877c82-4aa5-4d49-85d8-ee5644fdec66
X-VPM-MSG-ID: 8001c666-7bae-4d5b-9458-fb51b870cc05
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XzmZnf2Z2s0B3gANrgUzvmivtZw>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 16:59:06 -0000

+1 !
Well stated.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of nalini elkins
Sent: Tuesday, March 13, 2018 11:59 AM
To: Colm MacCárthaigh <colm@allcosts.net>;
Cc: <tls@ietf.org>; <tls@ietf.org>;
Subject: Re: [TLS] TLS@IETF101 Agenda Posted

Stephen (and TLS group)

We need to look at the bigger picture.

The TLS working group has been concentrating on making the Internet secure for the individual user.    We feel that there is also an underlying motivation to help the underdog and protect the political dissident.  These are all laudable goals.

But, the Internet is much more than that.  The Internet is the underpinnings of much of the business community which is utilized by consumers (end users).   Making a change which makes businesses less secure because crucial functions cannot be done will lead to enormous chaos and disruption.   Many businesses are likely to not want to adopt TLS1.3 or seek unique DIY type alternatives.  In fact, we have already heard of some planning to block TLS 1.3 traffic just for this reason.  So, the main thing to acknowledge is that the enterprise use case is different than the Internet use case.  As such, it needs its own solution.  Please note that the endpoint is the intended recipient of the session and the owner and responsible party for the security of the data.

The presentation in London is to present a use case solution – along with TLS WG recommendations/updates from Prague where half of the room hummed that an internal solution is needed.

This rift is not good for the TLS Working Group, it is not good for the IETF, it is not good for the business community and it is not good for the Internet.  We need to have some type of methodology so that we can continue to protect ourselves.  Therefore, we are asking for WG help with a solution to the enterprise use case.

This ID helps explain the situation and subsequent need.  If you haven’t had a chance to read it yet, please try to do it before the London meeting.
https://datatracker.ietf.org/doc/draft-fenter-tls-decryption/

Thanks,
Nalini Elkins
President
Enterprise Data Center Operators
www.e-dco.com<http://www.e-dco.com>


On Tue, Mar 13, 2018 at 8:06 AM, Colm MacCárthaigh <colm@allcosts.net<mailto:colm@allcosts.net>> wrote:

It's my fault for the ambiguous wording, but in this context the quote from me reads as the opposite of my intent.  To be more clear: what I meant was that while the proposals aren't making much progress, I don't mind that it's being discussed.

I'm happy to have mailing list threads on the topic and agenda time devoted to it (I don't go in person, but I do watch the videos). Since it's an area of such disagreement, I'd prefer to see /more/ discussion, not less. There's always hope of movement and progress on either side, and I think good discourse lessens the risk of dozens of fragmentary DIY solutions, which I think will be the worst kind of outcome of non-engagement.

On Tue, Mar 13, 2018 at 10:21 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:

Hiya,

Just to be clear: I'm still waiting for the chairs and/or
AD to explain how the proposed discussion of this draft
is consistent with IETF processes, given the results of
the discussion in Prague (a very clear lack of consensus
to even work on this topic), and the discussion of the
-00 version of this late last year. IOW, I don't consider
my objection has been answered.

In case people haven't got all the mails from last year
at the front of their minds, I went through them for you
and have provided links and selected quotes below. Yes,
the quotes are selected but I think do indicate that the
opposition to these ideas is as before. And there were
also the usual voices in support of weakening TLS in this
manner as well - a read of the thread clearly indicates
to me that discussion of this draft in London will, as
before, be a divisive waste of time and energy.

Chairs: Please drop the agenda item, or explain how any
of this fits our process, because I'm just not getting
it.

Thanks,
Stephen.


me, "IMO the WG shouldn't touch this terrible proposal with a
bargepole."

        https://www.ietf.org/mail-archive/web/tls/current/msg24493.html

Randy Bush: "there are a lot of us lurkers out here a bit horrified
watching this wg go off the rails." (Different thread, but same topic)

        https://www.ietf.org/mail-archive/web/tls/current/msg24539.html

Uri Blumenthal: "+1 to Stephen"

        https://www.ietf.org/mail-archive/web/tls/current/msg24542.html

Rich Salz: "put this on hold for a year or two after TLS 1.3 is done"

        https://www.ietf.org/mail-archive/web/tls/current/msg24544.html

Ion Larranaga Azcue, "I really don't feel confortable with the approach
taken in this draft."

        https://www.ietf.org/mail-archive/web/tls/current/msg24562.html

Hubert Kario: "to be clear: me too" (replying about hating the idea)

        https://www.ietf.org/mail-archive/web/tls/current/msg24578.html

Rich Salz: "I am opposed to the basic concept of injecting a third-party
into the E2E TLS process."

        https://www.ietf.org/mail-archive/web/tls/current/msg24585.html

Florian Weimer: "I don't understand why this complicated approach is
needed."

        https://www.ietf.org/mail-archive/web/tls/current/msg24607.html

Ben Kaduk: "I do not see any potential for a workable solution."

        https://www.ietf.org/mail-archive/web/tls/current/msg24620.html

Uri Blumenthal: "why do we spend time discussing this draft?"

        https://www.ietf.org/mail-archive/web/tls/current/msg24639.html

Christian Huitema: "Maybe they have found ways to manage their
applications and servers without breaking TLS..."

        https://www.ietf.org/mail-archive/web/tls/current/msg24643.html

Ted Lemon: "I think we should stop."

        https://www.ietf.org/mail-archive/web/tls/current/msg24649.html

Andrei Popov: "deploying a weakened configuration of TLS 1.3 (without
PFS) would not meet the intent of those future mandates/requirements."
(On "industry need")

        https://www.ietf.org/mail-archive/web/tls/current/msg24656.html

Ben Kaduk: "The time I am spending on this thread is time that I am not
able to spend improving the TLS 1.3 document."

        https://www.ietf.org/mail-archive/web/tls/current/msg24660.html

Dave Garrett: "Please, let's just let this mess die. "

        https://www.ietf.org/mail-archive/web/tls/current/msg24667.html

Uri Blumenthal "I'm against weakening the protocol, since there are
other ways to accomplish the perlustrator's mission"

        https://www.ietf.org/mail-archive/web/tls/current/msg24670.html
        Yeah, I had to look it up too:-)
        https://en.oxforddictionaries.com/definition/us/perlustrator

Adam Caudill: "To be honest, I’m rather surprised that this group
continues to spend time on this."

        https://www.ietf.org/mail-archive/web/tls/current/msg24712.html

Tony Arcieri, "Having worked (and presently working) for more than one
company of this nature, in the payments business no less, I would like
to restate that it's incredibly disingenuous to cite the need for
self-MitM capability as an "industry" concern."

        https://www.ietf.org/mail-archive/web/tls/current/msg24715.html

Colm MacCárthaigh: "I don't have too strong an interest in this thread,
it's not going anywhere, and I don't mind that."

        https://www.ietf.org/mail-archive/web/tls/current/msg24720.html

Peter Saint-Andre: "+1 to Stephen's request." (for chairs to close down
the discussion)

        https://www.ietf.org/mail-archive/web/tls/current/msg24734.html

Cas Cremers: " I think such a mechanism should not be part of the TLS
1.3 standard."

        https://www.ietf.org/mail-archive/web/tls/current/msg24885.html

Karthikeyan Bhargavan: "I really don’t recommend any change to the TLS
1.3 design to accomplish any of this"

        https://www.ietf.org/mail-archive/web/tls/current/msg24903.html


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls



--
Colm

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls



--
Thanks,
Nalini Elkins
President
Enterprise Data Center Operators
www.e-dco.com<http://www.e-dco.com>



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.