Re: [TLS] ETSI releases standards for enterprise security and data centre management

Tony Arcieri <bascule@gmail.com> Wed, 05 December 2018 15:51 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFBFD130E39 for <tls@ietfa.amsl.com>; Wed, 5 Dec 2018 07:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1XsY01YtgF8l for <tls@ietfa.amsl.com>; Wed, 5 Dec 2018 07:51:38 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 882E6130E30 for <tls@ietf.org>; Wed, 5 Dec 2018 07:51:38 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id a11so19009858otr.10 for <tls@ietf.org>; Wed, 05 Dec 2018 07:51:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SSIm/w8RFguchYagPW345Ql1xxcEbPYurkdTzkYvJlc=; b=Ho08fJw8VeW/2qv8ju1kJx1WFv1VMdYlXtraRqSt0spmYnl+cpHBvflwIuSmcuEtsg t0cd3HPgSvjqKqGXksavpfjkqc+vyyX+3gVuv9x0alcEdP6L7RKYkcK7+jTY+bpbBGd1 YL6z9WTO9P2XxTvYJPhPnhblRUFsP6+7MADFTl000VMnWF56srxmglGcMVCKq79DiTzR yUkWPn9hIK4zDqK+V6wVHA9XUvXjwdjXWMqN0hTwrTtUUdsGcGRrG1RM3i0m1XhRtI9K J2P3JNVXr7s3MI1r7jwnpQ0rVHFABspRw5fhhnMHzU5Adi227sN/F3G8qk40G8//mfh8 aAHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SSIm/w8RFguchYagPW345Ql1xxcEbPYurkdTzkYvJlc=; b=CigmaKnNL4NW+91rUtwV0CAfLfvTKkdueyyH3xQm3PM4JwoXPtMM66Ki55EdA3RanJ 1KSm8G6KBW53bSH5EqU8pX+pJhoFMKQRxlfBZ1w8+toEr+D//jvCx4EUiUXl+pjEP1Pm Z6rQacQPTldgmc1bvaV+eDYKVRElXxMthr/wi/+hp6mTqEwYkOLhO1u0i0O30crMQwF9 9RDy7LI5c5AlhEfDNzqh9dX2qqNJabhTIa/pBC8OyBRRgFAyQH44gaC5rZHDgy9ws1d0 CZKJ47TzK1x/H3VwBu1Nr4qVnQUDiZPGDzK6TcPFA94PVBk1sgKV+FgxgkvuWzSL2RCx qD7g==
X-Gm-Message-State: AA+aEWYdzCAVKYg4jwTvHg4ln+eVhrwMu3+69Bze+/vIDXRC1FwAVoiZ IVCVDE7z2Nfp+ReHYG+X2VdkdIcU8u083QACrNg=
X-Google-Smtp-Source: AFSGD/UNS9Vx4Cc6o+5ca3J5VCYogVV6YK9M9zTC1aNWyESchey1/XIYDf57ehU1pUmZizkcCeFqVVZeN4xm6jISkuU=
X-Received: by 2002:a05:6830:1115:: with SMTP id w21mr15177674otq.316.1544025097610; Wed, 05 Dec 2018 07:51:37 -0800 (PST)
MIME-Version: 1.0
References: <CADqLbzKd-AgDRv2suZ-0Nz4jNUqKg0RNT8sgQd-n793t+gEN3g@mail.gmail.com> <CAHOTMVKZT1ScvHeP3=Kv2zodVimHkaAtG-2DTq6ojnF+q-OMSQ@mail.gmail.com> <20181202233553.GD15561@localhost> <CAHOTMV+vPkM-=Qsto-8-ipFuGsNKkH_U=BEY_mB=7CM7tto3Mw@mail.gmail.com> <38D10A65-B4EE-4E81-8EA4-D69514F7F47B@gmail.com>
In-Reply-To: <38D10A65-B4EE-4E81-8EA4-D69514F7F47B@gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 5 Dec 2018 07:51:26 -0800
Message-ID: <CAHOTMVJuFP56mA0+JpCsnOi1CZTjhuFLK1461XRrxyyzAawCqA@mail.gmail.com>
To: jordan.ietf@gmail.com
Cc: Nico Williams <nico@cryptonector.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000077bbcc057c485bd4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/w8WcwXYfITN0KIAu_neERCQdm6w>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 15:51:41 -0000

On Wed, Dec 5, 2018 at 12:09 AM Bret Jordan <jordan.ietf@gmail.com>; wrote:

> Now this WG is finally starting to talk about a solution to a real problem
> and need.  We can either address the use case and need here in the IETF, or
> we can let the solutions be done else where. I would personally prefer we
> take this work item back and solve it here in the IETF.
> [...]
>
> On Dec 5, 2018, at 1:18 AM, Tony Arcieri <bascule@gmail.com>; wrote:
> [...]
> It seems like with an out-of-band escrow agent, the traffic secrets could
> be escrowed with no changes to TLS.
>
> Note that the solution I was proposing here requires no changes to TLS. I
am sure that there are many in the IETF who would be happy with people
exploring solutions which don't require changes to TLS.

Here are some others:

   - Endpoint agents (OSS - commercial options are also available):
   - https://osquery.io/
      - https://www.bro.org/ (now Zeek)
      - https://wazuh.com/
      - Encrypted traffic analytics:
   https://blogs.cisco.com/security/tls-version-1-3-change-is-here-and-encrypted-traffic-analytics-has-got-your-back

--
Tony Arcieri