Re: [TLS] TLS Impact on Network Security draft updated

Watson Ladd <watsonbladd@gmail.com> Tue, 23 July 2019 18:36 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28176120821 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 11:36:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSljaH1KrM0X for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 11:36:04 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40D62120830 for <tls@ietf.org>; Tue, 23 Jul 2019 11:36:04 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id 62so25184293lfa.8 for <tls@ietf.org>; Tue, 23 Jul 2019 11:36:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s7rarKO2D0J4apBXoHFvdTqGFjJolVwySAPLfH+WT5M=; b=nifMBAaPOy0/v0/ghiUV+H1hipjmR2l3I851a0A4Dqs+U1XyZwAdO566NT21gL8ZH7 s5Q3wfcnqrTLka5kBlHJ65/hVcJ017xhFVrJODWW7192y8XkzqcdAQpZSwN2s0S1ObUN NJFnSEx3AwzxWoVCevMktKE2kla6aLaL6vcLfI5jB6avlz7f9PNkzjDvH+nH0NakZX0f iA0dtrKVVJbPtVKo8dXBjgj3ryrNuBT6OFNf+r7df5NdtnPNY37Onp9N2gc3gTgsb/tT H6gd/YW8cfCjiWEhY+tyJiGHTRTcXZPhyNXGW3eQeb6a1tkzrdwB3NkDe2vJhVsZ1pBL SRiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s7rarKO2D0J4apBXoHFvdTqGFjJolVwySAPLfH+WT5M=; b=QTX9nBc7HjqqXfXSOqLLVFx/LLiOMfZykgBSta/poZ6RiVnW6UpJIHi7wBWgqTJG9b jIwe68zlHYRzoJDXiA5vP+agXKpJd7B9XdyWm7qgMpBrfOEkRm2XurnndmrtRnRqr4w8 /ay/z/TMtXlbioXClNPKZcGfx+am22Gg4Sak7TVXO55sMcfKjhgqzyuwtbfU+kYFJXwI 1WXUku5F/Ef+mWT3Q2InB0QevB57+2P5FkC7xIlmzxhmZuggMyXjihBQE7yw4BIJ47ch Wc5OCc1LZFA/pU6LOkpFRouYQEFoHLfH5VILU72OUIKiEBWmuZ6g5wC0zi0NbJWjSn8c 4UNg==
X-Gm-Message-State: APjAAAW3W9NOBK6ltVWj0gPIemBv/aU8EkGid/28x/w+V1XZ9tMSpoyc /wqdrbk3SGshZAoMQ0Kq3/dGWfe9H/ZwANmXXxg=
X-Google-Smtp-Source: APXvYqx7P1vhJHSJvBJbiMsfTjkhuSiZ2QWoH7+PmH6MjySCEPi7P0+5V1tJjgcKPZ0Dy4V5frZwo3fTiR6RzR6GAQ0=
X-Received: by 2002:a19:6904:: with SMTP id e4mr16775138lfc.156.1563906962373; Tue, 23 Jul 2019 11:36:02 -0700 (PDT)
MIME-Version: 1.0
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com> <E73DC7CA-71F1-4309-BBC9-6DF776E04350@gmail.com>
In-Reply-To: <E73DC7CA-71F1-4309-BBC9-6DF776E04350@gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 23 Jul 2019 11:35:49 -0700
Message-ID: <CACsn0ck3=wdt5954CvNRbNS3s+qn5NGOUZm0j6P=yA9unCzsQQ@mail.gmail.com>
To: Bret Jordan <jordan.ietf@gmail.com>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f44e24058e5d7619"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r860sEi8ZfQt2ZE7yQ7rbu00Ctg>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 18:36:17 -0000

This draft contains substantial omissions in section 3.

Nothing in TLS 1.3 prevents scanning for servers and examining the
certificates they present. Nothing in TLS 1.3 prevents using reverse
proxies to provide WAF functionality. PCI-DSS compliance is not at odds
with deploying TLS 1.3. In fact the citation to A2 is to a sun-setting of
all pre TLS 1.2 versions for point of sale terminals. I really don't see
where the conflict exists since all ciphers in 1.3 are secure.

The absence of these solutions means the draft overstates the impact of the
increased protection TLS 1.3 provides. It's disappointing to see sustained
and persistent opposition to encryption and privacy despite multiple RFCs
saying that yes we should encrypt all the things.


On Tue, Jul 23, 2019, 8:08 AM Bret Jordan <jordan.ietf@gmail.com> wrote:

> Nancy,
>
> I support this work and think this draft should be published. This is a
> yet another good write up on some of the requirements that are needed for
> operational security.
>
> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
>
> On Jul 21, 2019, at 9:51 AM, Nancy Cam-Winget (ncamwing) <
> ncamwing@cisco.com> wrote:
>
> Hi,
> Thanks to all the feedback provided, we have updated the
> https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04
> draft.  At this point, we believe the draft is stable and would like to
> request its publication as an informational draft.
>
> Warm regards,
>     Nancy
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>