Re: [TLS] Industry Concerns about TLS 1.3

BITS Security <BITSSecurity@fsroundtable.org> Tue, 27 September 2016 18:34 UTC

Return-Path: <BITSSecurity@fsroundtable.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D7612B32A for <tls@ietfa.amsl.com>; Tue, 27 Sep 2016 11:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fsroundtable.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5f9M_chMW_Cg for <tls@ietfa.amsl.com>; Tue, 27 Sep 2016 11:34:31 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0079.outbound.protection.outlook.com [104.47.41.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A8B5128B37 for <tls@ietf.org>; Tue, 27 Sep 2016 11:34:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fsroundtable.onmicrosoft.com; s=selector1-fsroundtable-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1Yzhx5FDE4aF4hZ3rlUCrz4Sy8enVInQNS77BXax2MY=; b=Zw4Owz8JUFPtmXrEcHd/PBBdB+/t/cZGdzNK3jZGKYI6imuTwi68jISS5Gc681e1JOiuHN5CGPHa4wHqcc5X8hBJrJWKVRDDLW3CYH/DZ1mYT886ZvQlsTe8vHanMJTibo3PT2zY17/v1Za2ePYI/LLancizdzfP+XlskIHzq98=
Received: from DM5PR11MB1419.namprd11.prod.outlook.com (10.168.104.21) by DM5PR11MB1419.namprd11.prod.outlook.com (10.168.104.21) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.10; Tue, 27 Sep 2016 18:34:30 +0000
Received: from DM5PR11MB1419.namprd11.prod.outlook.com ([10.168.104.21]) by DM5PR11MB1419.namprd11.prod.outlook.com ([10.168.104.21]) with mapi id 15.01.0619.011; Tue, 27 Sep 2016 18:34:30 +0000
From: BITS Security <BITSSecurity@fsroundtable.org>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AdIU8WqWM9WBapZoQzyfqxiOaK25fQADrwVgABxJhIAADgIdgAAAS/+AAAFEjIAAAGtwAAACvFsAAARoUQAAAOAJQAACcOKAAMNfPuAAAO+FgAAAHMVw
Date: Tue, 27 Sep 2016 18:34:30 +0000
Message-ID: <DM5PR11MB1419982941ECB14040873E6AF4CC0@DM5PR11MB1419.namprd11.prod.outlook.com>
References: <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <72011214.413503.1474650126973@mail.yahoo.com> <e24a06b8d0d04ccc80b9a55d83bf5606@usma1ex-dag1mb1.msg.corp.akamai.com> <DM5PR11MB141926C5806296FFD7252A45F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <CABcZeBNCoB6hd-c-x8tzT3k7ZFKs85NS04Fs-_CO+U4YZ-WjQg@mail.gmail.com> <DM5PR11MB1419BC83C76834E7C0CC0B7CF4CC0@DM5PR11MB1419.namprd11.prod.outlook.com> <20160927182409.GA26653@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160927182409.GA26653@LK-Perkele-V2.elisa-laajakaista.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=BITSSecurity@fsroundtable.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [165.117.248.226]
x-ms-office365-filtering-correlation-id: acba76f9-3188-46c7-9ea6-08d3e704eb68
x-microsoft-exchange-diagnostics: 1; DM5PR11MB1419; 6:RkUEKWKeL2osfo1Uj9Wkjcflwg7kiCyhUWOziZ1pXei/ZswpHScP3IpvS4C4d/33TcVGQnv0+JBV4sxKbYYqhA+P+Gp+2fFOj/UZCrH2jZYZDz8qzw9WlpNGyT/RA7csR7CeXOy6IEu/rREpDEOI+uQgR23rfNjQF531jsYVrKc3yrWmUAX7ZEfS1FIJRzZIKlsThYnIacm2hIsdtvKHIIHmNYxzgSdgFFqMiFCJrmVjOvEWzGefNXL2jJwNC7WZ6DBsty1QkOS41g/flQUggfccar1io7OHwH9SeV5sfF3gEuPw1EBBUBaLq+02yl9h; 5:Pr33W37HSXeamdqt39cgvED2fWAvXxoKHyElL3ng4aWt9X4LDzBL416F5xfnTTU1cPLNehPAVKh+PAsZ7dTj7oOrj+AcovmJjIjxZt3Am0On1WcDE+jaa3niYZS8t1MwM+JTjl8ut7PZ2xJnmQxqWA==; 24:JXZmmXquHfjYDewLpv7uXiweN1h53Osn5azc4iex+j/68QzIsQTH5tmRZ0fJVQU8Sp+i0pvMftrxPtOhYsOVSrOGNA2Efbp7eMK16sn/5+I=; 7:qZMMTdlQ9Twhnih6rkwiZi6+PKjIQnlgrb39hJOLiSvMPF/qaGh1C3MZxoyAMkwqvJbtpd/EKTSNxEhJXjGL6i2ATbtsvyCZ1LqHhoWmiHtBmrZFH1Rm4tdVL/MZfNMGZx5aDduSDYJ63ZRQnqY/XGZ+E+Iv06MwJN1o988nsXLmuN0nr6iBT3Xa7rvYV4An/cmGMOBkDOtqjE+NpI+UEv5t+/3jeCwYPyeNRIi614t5X7kwBwIPr3cAcCVPiXgJ7d/LCFc3p1SH+YVu12E109DOdE9+4H49Tk9F5SS35z85vXNMP5xaYvh0/yHXWFOz
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR11MB1419;
x-microsoft-antispam-prvs: <DM5PR11MB1419FE834B4DBE32401F3CEBBDCC0@DM5PR11MB1419.namprd11.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(72170088055959)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6043046)(6042046); SRVR:DM5PR11MB1419; BCL:0; PCL:0; RULEID:; SRVR:DM5PR11MB1419;
x-forefront-prvs: 007814487B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(377454003)(189002)(13464003)(24454002)(101416001)(7846002)(19580405001)(5002640100001)(11100500001)(305945005)(7736002)(92566002)(6916009)(2950100002)(87936001)(80792005)(10400500002)(74316002)(6116002)(586003)(2501003)(4326007)(2900100001)(2906002)(68736007)(77096005)(5640700001)(102836003)(3846002)(97736004)(5660300001)(189998001)(66066001)(9686002)(345774005)(76576001)(19580395003)(7696004)(76176999)(54356999)(33656002)(50986999)(8936002)(1730700003)(81166006)(93886004)(81156014)(8676002)(99286002)(3660700001)(122556002)(106356001)(2351001)(86362001)(3280700002)(105586002)(110136003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1419; H:DM5PR11MB1419.namprd11.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: fsroundtable.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: fsroundtable.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Sep 2016 18:34:30.2167 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 841de5a0-73e8-4cbc-8142-f80b225ef22d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1419
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cMAv9Gj037tzLnjfQOd6dP2k0g8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 18:34:33 -0000

Ilari - I understand yours (and others) view on this but there is no technical reason why this couldn't be part of the standard.  A potential solution, like many cipher suite *choices* in past versions of TLS, would be optional and up to both clients and servers to configure what they are willing to support (or not support).  You appear to be assuming everyone is running off the same set of requirements (one-size-fits-all) and we are here to tell you that isn't necessarily true.  

- Andrew




-----Original Message-----
From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com] 
Sent: Tuesday, September 27, 2016 2:24 PM
To: BITS Security <BITSSecurity@fsroundtable.org>;
Cc: Eric Rescorla <ekr@rtfm.com>;; tls@ietf.org
Subject: Re: [TLS] Industry Concerns about TLS 1.3

On Tue, Sep 27, 2016 at 06:07:28PM +0000, BITS Security wrote:
> Hi Eric--Thank you for the prompt.  
> 
> Our requirements are for the same capabilities we have today with TLS 
> 1.2, namely to be able to take a trace anywhere in our enterprise and 
> decrypt it out of band (assuming that we own the TLS server).  This 
> includes traces taken from physical taps, traces from span or mirror 
> ports, traces from the virtual environment, and/or traces from agents 
> on workstations.  We need to be able to apply a key to sniffer 
> devices, security and fraud monitoring tools, APM devices, and/or TLS 
> decryption appliances.

No changes to standards are going to happen to make that any easier.
Don't waste your time.


-Ilari