Re: [TLS] TLS Impact on Network Security draft updated

Flemming Andreasen <fandreas@cisco.com> Tue, 23 July 2019 20:51 UTC

Return-Path: <fandreas@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE58120159 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xr2JRcbNrKia for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:51:19 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25108120153 for <tls@ietf.org>; Tue, 23 Jul 2019 13:51:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18255; q=dns/txt; s=iport; t=1563915079; x=1565124679; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=/MT02I7U4sOhFSqZS9fQOIWcjptoodQPCWj3/eluqYw=; b=geuD/A/IRzFHVmKMl1TLHsauovodRJC9gvg4cwF02dEvHYEm4B7rfUd8 hbnxYzTHSSblNHrQgeJo/9CGZGBrc0N+GcgJ4rphL0gQ/nQvnbL0gRRg0 qkClRhzTuXCzxCuElYoByR4bEcWCl69vblYIZFMjCVkH4/n0iB+JQbHBJ w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BCAAAKcjdd/5xdJa1mHAEBAQQBAQcEAQGBUwcBAQsBgRSBAm1RATIqhB2IHItcCCWJVA6PHIF7CQEBAQ4YAQoMAQGEQAKCTiM0CQ4BAwEBBAEBAgEGbYUeDIVLAQEBAwEBIUsLEAkCGCcDAgIhBh8RBgEMBgIBARAHgwcBgWoDCRQPjyCba4EyH4QXAoEPgkANX4FIgTQBi0AeF4FAP4ERJwyCMS4+ghpHAQEDgUiDIYJYBKojQAmCG4ZYiUCDbgYbgi1tih2KU401gTGGF4F1jjuBUDgqgS5NIxU7gmwJiz6FWyMDMI9mAQE
X-IronPort-AV: E=Sophos;i="5.64,300,1559520000"; d="scan'208,217";a="602947912"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jul 2019 20:51:18 +0000
Received: from [10.86.255.110] ([10.86.255.110]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTP id x6NKpH1a004347; Tue, 23 Jul 2019 20:51:17 GMT
To: Watson Ladd <watsonbladd@gmail.com>, Bret Jordan <jordan.ietf@gmail.com>
Cc: TLS List <tls@ietf.org>
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com> <E73DC7CA-71F1-4309-BBC9-6DF776E04350@gmail.com> <CACsn0ck3=wdt5954CvNRbNS3s+qn5NGOUZm0j6P=yA9unCzsQQ@mail.gmail.com>
From: Flemming Andreasen <fandreas@cisco.com>
Message-ID: <016da638-6973-809b-0a24-42b2c9682b64@cisco.com>
Date: Tue, 23 Jul 2019 16:51:16 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CACsn0ck3=wdt5954CvNRbNS3s+qn5NGOUZm0j6P=yA9unCzsQQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------65BC65A4A11BDFB312D53EFE"
Content-Language: en-US
X-Outbound-SMTP-Client: 10.86.255.110, [10.86.255.110]
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tQmScRvEaSAJJQafpM4dr1tZmFA>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 20:51:22 -0000


On 7/23/19 2:35 PM, Watson Ladd wrote:
> This draft contains substantial omissions in section 3.
>
> Nothing in TLS 1.3 prevents scanning for servers and examining the 
> certificates they present.
Agreed, however there is no guarantee that the server will present the 
same certificate and other TLS parameters as it will for a particular 
client connection
> Nothing in TLS 1.3 prevents using reverse proxies to provide WAF 
> functionality.
Agreed however you need to terminate the TLS 1.3 connection at that WAF
> PCI-DSS compliance is not at odds with deploying TLS 1.3. In fact the 
> citation to A2 is to a sun-setting of all pre TLS 1.2 versions for 
> point of sale terminals. I really don't see where the conflict exists 
> since all ciphers in 1.3 are secure.
>
I'll defer to one of my co-authors on this one.
> The absence of these solutions means the draft overstates the impact 
> of the increased protection TLS 1.3 provides. It's disappointing to 
> see sustained and persistent opposition to encryption and privacy 
> despite multiple RFCs saying that yes we should encrypt all the things.
>
The draft is submitted with the intent of informing the community about 
impacts as we see them. The authors welcome discussion and constructive 
feedback and we will be happy to update and improve the draft 
accordingly when such information is provided and consensus forms around 
it. Specific text suggestions will be even better.

Thanks

-- Flemming
>
> On Tue, Jul 23, 2019, 8:08 AM Bret Jordan <jordan.ietf@gmail.com 
> <mailto:jordan.ietf@gmail.com>> wrote:
>
>     Nancy,
>
>     I support this work and think this draft should be published. This
>     is a yet another good write up on some of the requirements that
>     are needed for operational security.
>
>     Thanks,
>     Bret
>     PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>     "Without cryptography vihv vivc ce xhrnrw, however, the only thing
>     that can not be unscrambled is an egg."
>
>>     On Jul 21, 2019, at 9:51 AM, Nancy Cam-Winget (ncamwing)
>>     <ncamwing@cisco.com <mailto:ncamwing@cisco.com>> wrote:
>>
>>     Hi,
>>     Thanks to all the feedback provided, we have updated
>>     thehttps://tools.ietf.org/html/draft-camwinget-tls-use-cases-04
>>     draft.  At this point, we believe the draft is stable and would
>>     like to request its publication as an informational draft.
>>     Warm regards,
>>         Nancy
>>     _______________________________________________
>>     TLS mailing list
>>     TLS@ietf.org <mailto:TLS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/tls
>
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls