Re: [TLS] Industry Concerns about TLS 1.3

BITS Security <> Tue, 27 September 2016 18:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C7F812B488 for <>; Tue, 27 Sep 2016 11:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zbCgPgC9nfwm for <>; Tue, 27 Sep 2016 11:07:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5068512B480 for <>; Tue, 27 Sep 2016 11:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-fsroundtable-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jPKyJh9icGvtcIPPJwO7uWO21n3xDhGdChKibxSZ0vk=; b=ClvDSFOAEZAFKF0nMiFaX/kxV9iPTBsVExBlpjva3Wg5hdXMoMehy/ZNvOHZ7wuLGndqfk0b15liH0LI1VS0EV/PEq/2ulHcuIGLJ6KYCA/PbJEkbtht0YWpCvLPSG+zeclZsSwMr+0k2jsoZwuJRhjsyZatisqLyRyTg7KwLzY=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.10; Tue, 27 Sep 2016 18:07:28 +0000
Received: from ([]) by ([]) with mapi id 15.01.0619.011; Tue, 27 Sep 2016 18:07:28 +0000
From: BITS Security <>
To: Eric Rescorla <>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Date: Tue, 27 Sep 2016 18:07:28 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: e20777e8-134b-4611-8319-08d3e7012473
x-microsoft-exchange-diagnostics: 1; DM5PR11MB1417; 6:m9AHnS3OhOyEatmdTLWhs8v1Jqs7SBp1cP0ZVIdnc2P8/ttH3+Cjk1+e5qiqrvu6u05cgiwkCrH6aM/2A8tmWk4B3ylglWekRbBLqUx9rLUqVjBMNboHbR0uFnVIz+kK9fEpl1Malr03w9pvluusClsJ1mvirfTLsKcqJnQjO3oZjbhrnqYNEe/5Z4p9vyhlt0I5epVgGt8e/FmjftwEF73D69VYVJl9xh2FDOJy3MDLtP4900AbcvjWNGIUP7UYgqiqfPeXQZlwYHHpQu+0w0CYgcf3EWnqK94voGSo8/OVvaIV1Vmjq7HlnnqyXY6A; 5:zilQtQ+X1CtbVOI5KUQFmuU/316kA1fd9VuH7Ih5HZep/NP16wHBuNXGxLyBwfVlbszB1w235SehbaW/Im2bRyoAH+O9fIsI9xM1B+qvN9dcnu722dM5uaE/uIp0sBgalA6rZIKdU9dMg81H4BxoMA==; 24:MvTPJxQCPPI3sr4+cPIlEdIZ/HO1kqVMdQaE862qrOfyVieXN0G2uowpt2hQcZmFjLQDKOfMRQiN539zTD7+7MAu7I0b8i5KyVtS1QFxY3E=; 7:szLN8yG7Pr31ZgR7Ajhtw5nwdkprItbhyhcVR0ji2bZaBpBr/Dx5bPnNwUHnaP2aL7wc/IWR1LHawmeY3w0dHR4VpYg5mg3BkCHidiiL8V6HR9yTYWdjbhW/bwX3XuMVrhXYm0n23xmfELCq6UYgJI3OQd0TD5v1/HSc6G7mxW53dx3kqnvwbhXFvs36Ee20b2Dbu6G4FTT5febGG04ChvHQm+DUWg+UVn76wmXXNyjqTEVsviPortOtrfgIyWMC/Ej0THIg/VEBVKj+4AoNscDlT3SH8Cwe24tOLNWh0GOBcTbherhMEU0Jea8Ahmu2
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR11MB1417;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(148322886591682)(72170088055959)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6042046)(6043046); SRVR:DM5PR11MB1417; BCL:0; PCL:0; RULEID:; SRVR:DM5PR11MB1417;
x-forefront-prvs: 007814487B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(76104003)(13464003)(24454002)(377454003)(189002)(54356999)(105586002)(76176999)(106356001)(19580395003)(19580405001)(33656002)(99286002)(81166006)(10400500002)(189998001)(81156014)(93886004)(102836003)(6116002)(586003)(92566002)(68736007)(5660300001)(3660700001)(122556002)(77096005)(2900100001)(8936002)(15975445007)(3846002)(9686002)(11100500001)(80792005)(3280700002)(110136003)(76576001)(4326007)(50986999)(305945005)(87936001)(345774005)(2950100002)(97736004)(101416001)(6916009)(66066001)(86362001)(74316002)(7846002)(2906002)(7696004)(7736002)(8676002)(5002640100001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1417;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Sep 2016 18:07:28.0414 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 841de5a0-73e8-4cbc-8142-f80b225ef22d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1417
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Sep 2016 18:07:33 -0000

Hi Eric--Thank you for the prompt.  

Our requirements are for the same capabilities we have today with TLS 1.2, namely to be able to take a trace anywhere in our enterprise and decrypt it out of band (assuming that we own the TLS server).  This includes traces taken from physical taps, traces from span or mirror ports, traces from the virtual environment, and/or traces from agents on workstations.  We need to be able to apply a key to sniffer devices, security and fraud monitoring tools, APM devices, and/or TLS decryption appliances.  

Outbound TLS today requires an MITM/proxy solution in order to decrypt TLS.  One visibility point only in this environment is not adequate to cover every situation especially in a crisis (whether a broken app or a more nefarious concern like APT).  

- Andrew

From: Eric Rescorla [] 
Sent: Friday, September 23, 2016 4:43 PM
To: BITS Security <>
Cc: Salz, Rich <>;;
Subject: Re: [TLS] Industry Concerns about TLS 1.3


What would probably be most helpful here would be if you tried to describe what you think your requirements are in some sort of protocol-neutral fashion.


On Fri, Sep 23, 2016 at 1:31 PM, BITS Security <> wrote:
Rich (et al.) -- I understand where you are coming from but I will poke a little bit at this portrayal.

We are not here hat-in-hand asking for a return to RSA key exchange to the proposed standard.  We do however want to raise our concern (and hopefully your awareness) of what appears to be an unintended consequence of the move to PFS-only choices.

What is happening from our perspective is choice is being removed and an adequate replacement has (seemingly) not been identified.  This lack of choice may not affect everyone and every use-case but it will predictably affect large, complex, highly regulated enterprises in a serious manner.  This is a classic case of security requirement being in conflict with a different security requirement.

IETF protocols are run extensively both on the public Internet and within private enterprises.  Any decisions made by the TLS Working Group will affect both environments, and the needs and requirements of both environments should be considered.


-----Original Message-----
From: TLS [] On Behalf Of Salz, Rich
Sent: Friday, September 23, 2016 3:08 PM
Subject: Re: [TLS] Industry Concerns about TLS 1.3

> It would be very interesting to get the network diagnostic and operations people (rather than the architects) of the above companies involved in this conversation.

Nothing has ever stopped them.  Never. Participation is as simple as joining a mailing list.  The IETF has been doing SSL and TLS for nearly 20 years.  It is not a secret.  It was incumbent on them to reach out and get involved.

> Why don't we listen to each other?   I know at IETF, I often hear that we don't get enough operators to comment and give feedback.  Well, here you have some.  It may be that these companies have problems that are different from Google's (just as an example).

Don't try to equate "listen to each other" with "meet my requirement."  The message has been stated, very clearly, from individuals, WG members, through document editors and WG chairs and up to Security Directors:  static RSA is not coming back to TLS 1.3 .  Since before the last IETF this was the message, consistently.  So perhaps you should answer the question first -- why aren't *you* listening? :)

PFS is also possible in TLS 1.1 and later.  What does, say USBank, do to prevent PFS in their existing deployment?  Why won't additional controls to prevent TLS 1.3 and its mandatory PFS be expected to work here as well?  So far all I've seen is "maybe there's bugs in TLS 1.2 and we'll be forced to move to TLS 1.3"  Shrug.  There are bugs everywhere.   Maybe there's bugs in TLS 1.3 too.

Look, pretty much the entire world is being spied on by national-scale adversaries who are recording all traffic for eventual decryption and correlation.  *Almost everyone* is having their traffic surveilled. The problems of debugging a set of enterprise apps doesn’t amount to a hill of beans in that world. It just doesn't. Same for a particular industry's regulatory requirements.

> Isn't our goal to have the best standards possible?   Any organism (including the IETF), needs feedback to thrive.

Oxygen, coke, and cookies too.

Senior Architect, Akamai Technologies
IM: Twitter: RichSalz _______________________________________________
TLS mailing list
TLS mailing list