Re: [TLS] TLS Impact on Network Security draft updated
Watson Ladd <watsonbladd@gmail.com> Tue, 23 July 2019 18:36 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28176120821 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 11:36:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSljaH1KrM0X for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 11:36:04 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40D62120830 for <tls@ietf.org>; Tue, 23 Jul 2019 11:36:04 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id 62so25184293lfa.8 for <tls@ietf.org>; Tue, 23 Jul 2019 11:36:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s7rarKO2D0J4apBXoHFvdTqGFjJolVwySAPLfH+WT5M=; b=nifMBAaPOy0/v0/ghiUV+H1hipjmR2l3I851a0A4Dqs+U1XyZwAdO566NT21gL8ZH7 s5Q3wfcnqrTLka5kBlHJ65/hVcJ017xhFVrJODWW7192y8XkzqcdAQpZSwN2s0S1ObUN NJFnSEx3AwzxWoVCevMktKE2kla6aLaL6vcLfI5jB6avlz7f9PNkzjDvH+nH0NakZX0f iA0dtrKVVJbPtVKo8dXBjgj3ryrNuBT6OFNf+r7df5NdtnPNY37Onp9N2gc3gTgsb/tT H6gd/YW8cfCjiWEhY+tyJiGHTRTcXZPhyNXGW3eQeb6a1tkzrdwB3NkDe2vJhVsZ1pBL SRiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s7rarKO2D0J4apBXoHFvdTqGFjJolVwySAPLfH+WT5M=; b=QTX9nBc7HjqqXfXSOqLLVFx/LLiOMfZykgBSta/poZ6RiVnW6UpJIHi7wBWgqTJG9b jIwe68zlHYRzoJDXiA5vP+agXKpJd7B9XdyWm7qgMpBrfOEkRm2XurnndmrtRnRqr4w8 /ay/z/TMtXlbioXClNPKZcGfx+am22Gg4Sak7TVXO55sMcfKjhgqzyuwtbfU+kYFJXwI 1WXUku5F/Ef+mWT3Q2InB0QevB57+2P5FkC7xIlmzxhmZuggMyXjihBQE7yw4BIJ47ch Wc5OCc1LZFA/pU6LOkpFRouYQEFoHLfH5VILU72OUIKiEBWmuZ6g5wC0zi0NbJWjSn8c 4UNg==
X-Gm-Message-State: APjAAAW3W9NOBK6ltVWj0gPIemBv/aU8EkGid/28x/w+V1XZ9tMSpoyc /wqdrbk3SGshZAoMQ0Kq3/dGWfe9H/ZwANmXXxg=
X-Google-Smtp-Source: APXvYqx7P1vhJHSJvBJbiMsfTjkhuSiZ2QWoH7+PmH6MjySCEPi7P0+5V1tJjgcKPZ0Dy4V5frZwo3fTiR6RzR6GAQ0=
X-Received: by 2002:a19:6904:: with SMTP id e4mr16775138lfc.156.1563906962373; Tue, 23 Jul 2019 11:36:02 -0700 (PDT)
MIME-Version: 1.0
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com> <E73DC7CA-71F1-4309-BBC9-6DF776E04350@gmail.com>
In-Reply-To: <E73DC7CA-71F1-4309-BBC9-6DF776E04350@gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 23 Jul 2019 11:35:49 -0700
Message-ID: <CACsn0ck3=wdt5954CvNRbNS3s+qn5NGOUZm0j6P=yA9unCzsQQ@mail.gmail.com>
To: Bret Jordan <jordan.ietf@gmail.com>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f44e24058e5d7619"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r860sEi8ZfQt2ZE7yQ7rbu00Ctg>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 18:36:17 -0000
This draft contains substantial omissions in section 3. Nothing in TLS 1.3 prevents scanning for servers and examining the certificates they present. Nothing in TLS 1.3 prevents using reverse proxies to provide WAF functionality. PCI-DSS compliance is not at odds with deploying TLS 1.3. In fact the citation to A2 is to a sun-setting of all pre TLS 1.2 versions for point of sale terminals. I really don't see where the conflict exists since all ciphers in 1.3 are secure. The absence of these solutions means the draft overstates the impact of the increased protection TLS 1.3 provides. It's disappointing to see sustained and persistent opposition to encryption and privacy despite multiple RFCs saying that yes we should encrypt all the things. On Tue, Jul 23, 2019, 8:08 AM Bret Jordan <jordan.ietf@gmail.com> wrote: > Nancy, > > I support this work and think this draft should be published. This is a > yet another good write up on some of the requirements that are needed for > operational security. > > Thanks, > Bret > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that > can not be unscrambled is an egg." > > On Jul 21, 2019, at 9:51 AM, Nancy Cam-Winget (ncamwing) < > ncamwing@cisco.com> wrote: > > Hi, > Thanks to all the feedback provided, we have updated the > https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04 > draft. At this point, we believe the draft is stable and would like to > request its publication as an informational draft. > > Warm regards, > Nancy > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] TLS Impact on Network Security draft updated Nancy Cam-Winget (ncamwing)
- Re: [TLS] TLS Impact on Network Security draft up… Eric Rescorla
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Tony Arcieri
- Re: [TLS] TLS Impact on Network Security draft up… Viktor Dukhovni
- Re: [TLS] TLS Impact on Network Security draft up… Mark O
- Re: [TLS] TLS Impact on Network Security draft up… Ackermann, Michael
- Re: [TLS] TLS Impact on Network Security draft up… Flemming Andreasen
- Re: [TLS] TLS Impact on Network Security draft up… Sean Turner
- Re: [TLS] TLS Impact on Network Security draft up… Flemming Andreasen
- Re: [TLS] TLS Impact on Network Security draft up… Flemming Andreasen
- Re: [TLS] TLS Impact on Network Security draft up… Salz, Rich
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Arnaud.Taddei.IETF
- Re: [TLS] TLS Impact on Network Security draft up… Ackermann, Michael
- Re: [TLS] TLS Impact on Network Security draft up… Dennis Jackson
- Re: [TLS] TLS Impact on Network Security draft up… Eric Rescorla
- Re: [TLS] TLS Impact on Network Security draft up… Filippo Valsorda
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Dennis Jackson
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Salz, Rich
- Re: [TLS] TLS Impact on Network Security draft up… Benjamin Kaduk
- Re: [TLS] TLS Impact on Network Security draft up… Ackermann, Michael
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Dennis Jackson
- Re: [TLS] TLS Impact on Network Security draft up… Joseph Birr-Pixton
- Re: [TLS] TLS Impact on Network Security draft up… Benjamin Kaduk
- Re: [TLS] TLS Impact on Network Security draft up… Hubert Kario
- Re: [TLS] TLS Impact on Network Security draft up… Salz, Rich
- Re: [TLS] TLS Impact on Network Security draft up… Stephen Farrell
- [TLS] redirecting discussion (was Re: TLS Impact … Sean Turner
- Re: [TLS] TLS Impact on Network Security draft up… N6Ghost