Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

"Salz, Rich" <rsalz@akamai.com> Sun, 22 October 2017 23:55 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B32E413C178 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 16:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_Zcf8F11Eb8 for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 16:55:16 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B34613C177 for <tls@ietf.org>; Sun, 22 Oct 2017 16:55:16 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v9MNreAf024242; Mon, 23 Oct 2017 00:55:05 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=cVYbvPYF10FwT3GWa6tjJM/GmcRX8dAeo9OLkLQoY0w=; b=EzOGskt42lJ8wji1C69WWzC+9Lt2YJyCH7Sj3W+2RPjowaizJswMq9gjkSLrU9gJ2ju4 jR+qRIzOUsAThICEdXiyQg4a/oESzbXShBpQKBD4f34FY50HO9HmusjYE+7Ee8GLm5jm YS/kfZIxdo2wkUXFwYbY2FO/ugNGFJ9KDeiYACt49DFBd1FMKLl24ukXOo/yLhEnPr7e tbxzs/KEzQY7Oz2G3TKs7tVKWCU8I0DRZpnXZJa91ovjut1AFGYD/pLiw0En3bl268iD k0QQ5dcVQ+5VNab15/FzslZMd1+aL1jNhiZefQ8gc71Pndrv763wTXMjGmZWHGGwEtnG NQ==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050096.ppops.net-00190b01. with ESMTP id 2dqxn6cn72-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 23 Oct 2017 00:55:05 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v9MNqlYO023978; Sun, 22 Oct 2017 19:55:04 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.53]) by prod-mail-ppoint4.akamai.com with ESMTP id 2dr1jwmh6s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 22 Oct 2017 19:55:04 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 22 Oct 2017 19:54:57 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Sun, 22 Oct 2017 19:54:57 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Steve Fenter <steven.fenter58@gmail.com>, Christian Huitema <huitema@huitema.net>
CC: Darin Pettis <dpp.edco@gmail.com>, Paul Turner <PAUL.TURNER@venafi.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
Thread-Index: AQHTO71yMz3yJYxp1UWiK0P85Z38q6LqPDwAgAFTKoCAAAWQgIAAANmAgAABFQCAAAA7gIAAAPWAgAADKYCAAALXgIAABTeAgAACs4CAAAEIAIAABEWAgAAZu4CAAAV4gIAAVLoAgAAB/4CABMTGAIAAB+gA
Date: Sun, 22 Oct 2017 23:54:57 +0000
Message-ID: <4C8FA7B0-C084-4D77-85A0-29876C055982@akamai.com>
References: <7E6C8F1F-D341-456B-9A48-79FA7FEC0BC1@gmail.com> <a599d6ad-54db-e525-17d6-6ea882880021@akamai.com> <71e75d23f4544735a9731c4ec3dc7048@venafi.com> <3D2E3E26-B2B9-4B04-9704-0BBEE2E2A8F7@akamai.com> <000501d348e5$1f273450$5d759cf0$@equio.com> <70837127-37AB-4132-9535-4A0EB072BA41@akamai.com> <e8417cc424fe4bf3b240416dfffd807a@venafi.com> <B11A4F30-2F87-4310-A2F0-397582E78E1D@akamai.com> <fd12a8a8c29e4c7f9e9192e1a1d972d6@venafi.com> <D2CAAA44-339E-4B41-BCE0-865C76B50E2F@akamai.com> <d76828f02fc34287a961eba21901247b@venafi.com> <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <7ed40a30-196f-d280-59a5-814a5ea4676e@huitema.net> <13B309B8-D380-450D-9792-81DFC22C03F0@gmail.com>
In-Reply-To: <13B309B8-D380-450D-9792-81DFC22C03F0@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.33.9]
Content-Type: text/plain; charset="utf-8"
Content-ID: <4BA9E021A8B44347A1448D09A045A87B@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-22_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710220347
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-22_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710220347
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t_PtHK8cEAT7IzSRix3lZOmssSI>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 23:55:18 -0000

➢ I have been saying to anyone who will listen that the IETF needs a private forum for enterprises, to enable them to come forward and discuss their real requirements. Without this input the IETF is trying to architect and engineer solutions without knowing the complete set of requirements, at least on the enterprise side.

Sorry, no.  We don’t work that way.  Never have, and never will.  Everything must be done in public.  That’s really just non-negotiable.  Without that input, then yes, the IETF protocols will “just” be for the public Internet.  I’m sure many will accept that.

➢     The only other option being presented to enterprises is that we continue to run on a TLS spec that is nine years old, and then continue running it until it is 14 to 19 years old. It makes no sense to me to put out a TLS 1.3 standard, but say that enterprises cannot upgrade to it.
    
Yes it makes sense, for two reasons.  First, “enterprises,” as represented by those who claim to need this visibility, haven’t even moved up to requiring TLS 1.2.  It was because of enterprise push-back that PCI DSS was delayed, and that was only TLS 1.1!  Second, “enterprise” is a small part of the Internet.

So you need TLS 1.3, with this security-weakening feature, so that in case someone finds a break in TLS 1.1, or TLS 1.2, you can rapidly upgrade to TLS 1.3.  The phrase that comes to mind is “are you --- kidding me?”

Enterprise monitoring, as has been repeatedly said here, *does not have to break.*  Keep your architecture and have the server’s that you control within your enterprise share all the keys with the logging system.