Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Steve Fenter <steven.fenter58@gmail.com> Sun, 22 October 2017 20:48 UTC

Return-Path: <steven.fenter58@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE56C13B26B for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 13:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JKLUklXefNe for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 13:48:37 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F38B13B26E for <tls@ietf.org>; Sun, 22 Oct 2017 13:48:37 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id y15so3787350ita.4 for <tls@ietf.org>; Sun, 22 Oct 2017 13:48:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:in-reply-to:mime-version:content-transfer-encoding :message-id:cc:from:subject:date:to; bh=MwCxQQjkY7ubedg20sGaBmcqnY5g5Z4CsA6DGxO5Dfk=; b=A2uiJka2VFZ4k0PXH0stXsRiNYkxJqHnQy6OMrYndJlfy37J0tk0f7unSkqI/W04jP /qFlSxNKaa3COGSGUpCPMjIJZeNQip4i/MaVqNvLizDa0zSoO0b7UIfAmuQzVyt04zsn Tga06o0bU9zq9Z59VOs7xy4JpoAyH/qPWBscvRzTAc6J4uYgKerpL0kEAGBpWuk3yO3F OI6XjKrAlkmuS+X8mBggTwdyU5l1PDMh+5FK1vIstySUGqd+Oixe5yFSvRHd9Erm/fBe ynRchCli111sUxHGPqECLk5v1Z4CirGTR97BkVUQCkH9GwGZsCXATZRq4e3lIjnpPVAa 4/dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:in-reply-to:mime-version :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=MwCxQQjkY7ubedg20sGaBmcqnY5g5Z4CsA6DGxO5Dfk=; b=or6Agygytw6xurU0YUqTg84oYJC5qM5hlbYVfnGTVJ6kbOTmlrTg5G5vWvtsyKyU53 7BKj8EKSEurNyfFjlk7DBz+8Kd2UTxjt1EpQSWK03zouIW0E26JoTuT/blGFfDGxmnH8 2mBF2+siYsiy2VhvzDZqA9BPeRrh4aOSdV9EXvXyP3uR7VfI06sqmp3FXbFs9GLtq2V0 2TtWRJnjLv3546XdhG1ZOmz98B0u22oFq273Bk1GgweymCnxd3+Ar79qaijzq0lu+E9J 46Mmb2R2YARr48zLTa6Pfmbh2UHpaI6AjsVti+XzSsLamvzKRLiUufXVj3BPT8Kxeoca ED7g==
X-Gm-Message-State: AMCzsaWVvTmcKXWUUlweMdBah+IDP9svdq9Whoy5W/YAqiKVKVdt7qTE fBtsNaddW5WLj/fIUUMPqbw=
X-Google-Smtp-Source: ABhQp+ScbGz/R2WgeULNNRC36FGz42W5eEjKHTVh+bv6RTs8MCD7zR9La95ltpVGL0qa+TPaUxI9Ug==
X-Received: by 10.36.252.68 with SMTP id b65mr6515303ith.151.1508705316570; Sun, 22 Oct 2017 13:48:36 -0700 (PDT)
Received: from [100.108.225.203] (67.sub-174-219-17.myvzw.com. [174.219.17.67]) by smtp.gmail.com with ESMTPSA id n4sm2540329ioe.71.2017.10.22.13.48.33 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 22 Oct 2017 13:48:35 -0700 (PDT)
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <31F5A73E-F37E-40D8-AA7D-8BB861692FED@akamai.com>
In-Reply-To: <31F5A73E-F37E-40D8-AA7D-8BB861692FED@akamai.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <13592ABB-BA71-4DF9-BEE4-1E0C3ED50598@gmail.com>
Cc: "Ackermann, Michael" <MAckermann@bcbsm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Darin Pettis <dpp.edco@gmail.com>, "tls@ietf.org" <tls@ietf.org>
X-Mailer: iPad Mail (11D201)
From: Steve Fenter <steven.fenter58@gmail.com>
Date: Sun, 22 Oct 2017 15:48:36 -0500
To: "Salz, Rich" <rsalz@akamai.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YYDtRPXceCZGpu_HajlsJcEtEnQ>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 20:48:39 -0000

The main problem with not addressing the TLS visibility issue now is that no one knows when a vulnerability will be discovered in TLS 1.2 that forces enterprises to upgrade to TLS 1.3. We've had guarantees that TLS 1.2 and the RSA key exchange are going to be fine for 5 to 10 years, but nobody knows that, particularly in today's security environment. I've also learned that getting a solution in place through the IETF is a multi-year process, and then vendor adoption time has to be added on top of that.  Enterprises don't want to be caught in a position where a vulnerability is forcing us to upgrade, and we are starting at ground zero on a multi-year process to restore TLS visibility. We have to get out in front of this problem so we're not caught unprepared.

Sent from my iPad

> On Oct 20, 2017, at 11:57 AM, "Salz, Rich" <rsalz@akamai.com>; wrote:
> 
> 
> 
>    So it sounds like we are in agreement that continuing to use TLS 1.2 is not a viable long term  alternative.  
> 
> 
> Long-term is a subjective term, and using it can lead to misunderstandings.
> 
> Based on current and previous actions around SSL and TLS versions, you can use TLS 1.2 for at least five, likely at least 10, years.
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls