Re: [TLS] Industry Concerns about TLS 1.3

"Salz, Rich" <rsalz@akamai.com> Mon, 26 September 2016 12:33 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90D5E12B1A9 for <tls@ietfa.amsl.com>; Mon, 26 Sep 2016 05:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.017
X-Spam-Level:
X-Spam-Status: No, score=-5.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aq_bumuaNGU4 for <tls@ietfa.amsl.com>; Mon, 26 Sep 2016 05:33:04 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 99D9D12B1A0 for <tls@ietf.org>; Mon, 26 Sep 2016 05:33:04 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id BB19D423726; Mon, 26 Sep 2016 12:33:03 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id A3A73423705; Mon, 26 Sep 2016 12:33:03 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1474893183; bh=DWn5tnu0e7Un2dfnpWw5s7YkdzdTwSNedAK1+zu3Fyw=; l=1322; h=From:To:Date:References:In-Reply-To:From; b=LbfEY3ygGSscApJs5+Aq+//kmhvu7lk2dqtHmp7DDBcHWyUvQhbQZ3nnawOz2ihAF 4i0DUGiKjUqdkGAoIUNsg2dDWA83Ee6QvIv8O0rvJP+owJqmrjlByFnZfM7T4TW9w9 mG6K08gi+RqvzvGizdrljL7VrRRln85hBwf0YMo4=
Received: from email.msg.corp.akamai.com (usma1ex-cas2.msg.corp.akamai.com [172.27.123.31]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 9A6B41FCA1; Mon, 26 Sep 2016 12:33:03 +0000 (GMT)
Received: from USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 26 Sep 2016 08:33:03 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 26 Sep 2016 08:33:03 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Mon, 26 Sep 2016 08:33:02 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AdIU8WqWM9WBapZoQzyfqxiOaK25fQADrwVgACSrSIAADgIdgAAAS/+AAAFEjIAAAGtwAAACR/qAAB2DyYAAGiTbAAAFaV2gADD5/AAABrPKoA==
Date: Mon, 26 Sep 2016 12:33:02 +0000
Message-ID: <4590ea63c46a4aef937751a0bd01e77e@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC6CAC@PWN401EA120.ent.corp.bcbsm.com> <fd4ad423-3614-5330-b687-1b5848e839f0@wheelsystems.com> <4FC37E442D05A748896589E468752CAA0DBC9732@PWN401EA120.ent.corp.bcbsm.com> <b24efbbb594040e794f7513b7e62b3c7@usma1ex-dag1mb1.msg.corp.akamai.com> <4FC37E442D05A748896589E468752CAA0DBCBA55@PWN401EA120.ent.corp.bcbsm.com>
In-Reply-To: <4FC37E442D05A748896589E468752CAA0DBCBA55@PWN401EA120.ent.corp.bcbsm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.46.219]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/j9XAfiZJfjaFnCxwiSv2N1ty1r4>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 12:33:06 -0000

> I understand your concern over what the nation-state actors are doing but it
> is not the same as what Enterprises do to manage their private servers,
> networks and clients.

Okay, in technical terms only, what is the difference?
 
> My personal perspective would be, that the approach to achieving an answer
> to that important question, would start with:

It's too late for that.  We're at the end-game, not the start.  I'm only a WG member, not editor, chair, or Area Director, but I would be extremely surprised if there was any consensus to delay things.  

> What I would like to see come out of the debate we seem to be currently
> involved in,  is the realization that significant operational/management

I hope you don't take this the wrong way, but I don't see that we're having a debate. I see a couple of new WG members re-raising an issue that the WG decided years ago.  And that the rest of the WG is pretty consistently expressing their, shall we call it, lack of interest?  And some people have offered TLS 1.2, end-point-based interception, and static key shares as ways to address it.  And I haven’t seen a response to those suggestions.

Your most effective course of action is to come up with a specific proposal, and probably within a week or two.