Re: [TLS] Industry Concerns about TLS 1.3

"Ackermann, Michael" <MAckermann@bcbsm.com> Sun, 25 September 2016 21:20 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8CE812B030 for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 14:20:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sh2YbL-J5lZX for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 14:20:06 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A421512B01F for <tls@ietf.org>; Sun, 25 Sep 2016 14:20:06 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id C2FD4C1452 for <tls@ietf.org>; Sun, 25 Sep 2016 16:20:05 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id 412C3C1448; Sun, 25 Sep 2016 16:20:05 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F1DD992057; Sun, 25 Sep 2016 17:20:04 -0400 (EDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E676F92053; Sun, 25 Sep 2016 17:20:04 -0400 (EDT)
Received: from pwn401ea100.ent.corp.bcbsm.com (unknown [10.64.80.217]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Sun, 25 Sep 2016 17:20:04 -0400 (EDT)
Received: from PWN401EA120.ent.corp.bcbsm.com ([169.254.12.26]) by PWN401EA100.ent.corp.bcbsm.com ([10.64.80.217]) with mapi id 14.03.0301.000; Sun, 25 Sep 2016 17:20:04 -0400
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: "Salz, Rich" <rsalz@akamai.com>, Pawel Jakub Dawidek <p.dawidek@wheelsystems.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AQHSFXFM47cmA/iFbUeqweJ91YYuHKCHJUIQgABH84D//8NPsIAASjEA///OLFCAATAygIAAaEiggADal4CAAPeiEA==
Date: Sun, 25 Sep 2016 21:20:04 +0000
Message-ID: <4FC37E442D05A748896589E468752CAA0DBCBA55@PWN401EA120.ent.corp.bcbsm.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC6CAC@PWN401EA120.ent.corp.bcbsm.com> <fd4ad423-3614-5330-b687-1b5848e839f0@wheelsystems.com> <4FC37E442D05A748896589E468752CAA0DBC9732@PWN401EA120.ent.corp.bcbsm.com> <b24efbbb594040e794f7513b7e62b3c7@usma1ex-dag1mb1.msg.corp.akamai.com>
In-Reply-To: <b24efbbb594040e794f7513b7e62b3c7@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.10.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: ab967bec-fd6d-4c49-b0fa-6d9166295e8b
X-VPM-MSG-ID: 2ddc96b9-14b8-474d-a4a6-c69f08fbbbf5
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jGYRyXmOzEfqacUFCiA6sAC7dsI>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 21:20:11 -0000

I understand your concern over what the nation-state actors are doing but it is not the same as what Enterprises do to manage their private servers, networks and clients.        
 
Your final paragraph is quite a constructive question.   "What specifically would you have us do? What do you want in the protocol that enables your needs, but doesn't make it possible for everyone in the world to be surveilled?  Please, make some specific suggestions."

My personal perspective would be, that the approach to achieving an answer to that important question, would start with:

1.  Gathering  protocol neutral requirements from all involved factions,  (with help and suggestions from people on the TLS list)

2.   Brainstorming session(s) with people on the TLS list as well potential users/operators, with objectives that include the design of a solution that meets (hopefully) all known requirements.  

What I would like to see come out of the debate we seem to be currently involved in,  is the realization that significant operational/management  issues exist with TLS 1.3 and that the IETF is taking them seriously enough to at least begin dialogue intended to address these issues, and potentially work together to craft related solution(s).   In my view this issue is far too complex &  pervasive to believe that any one person or group's perspective would produce a viable overall solution.  

Again, let me restate,  I don't think anyone is saying that we MUST have RSA.    But, we, as the clients of the IETF TLS protocol, would like to work with you to assure we have workable, manageable  and affordable solutions,  that meets our needs as well as the needs of others.

-----Original Message-----
From: Salz, Rich [mailto:rsalz@akamai.com] 
Sent: Saturday, September 24, 2016 10:10 PM
To: Ackermann, Michael <MAckermann@bcbsm.com>;; Pawel Jakub Dawidek <p.dawidek@wheelsystems.com>;; tls@ietf.org
Subject: RE: [TLS] Industry Concerns about TLS 1.3

>   This lack of scope, depth and detail [in MITM infrastructures] are 
> what drove us to install the packet collection infrastructures 
> (debugging networks I think some are saying).

At the risk of repeating myself and flogging this dead horse...  What you are doing is exactly what the nation-state actors are doing.  I bet that some even use that exact phrase of "packet collection infrastructure." 

I understand that if you want to use TLS 1.3, it is going to be expensive and/or inconvenient; you're going to have to educate regulators and get bespoke TLS endpoint solutions from vendors. Perhaps you can get the NSA's to stop collecting everyone's Internet traffic for future decoding?

Less flippantly, what specifically would you have us do? What do you want in the protocol that enables your needs, but doesn't make it possible for everyone in the world to be surveilled?  Please, make some specific suggestions.
 



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.