Re: [TLS] chairs - please shutdown wiretapping discussion...

Colm MacCárthaigh <colm@allcosts.net> Sun, 09 July 2017 06:23 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92396127F0E for <tls@ietfa.amsl.com>; Sat, 8 Jul 2017 23:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByNnp1BRPsiE for <tls@ietfa.amsl.com>; Sat, 8 Jul 2017 23:23:40 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13FC1127977 for <tls@ietf.org>; Sat, 8 Jul 2017 23:23:40 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id a12so25723396ywh.3 for <tls@ietf.org>; Sat, 08 Jul 2017 23:23:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=06WPUsNAnMF00duTwlbVhGj7EynnHp9N3mPJZuHNbXo=; b=1vYgJXYjOoYzb3bG5yZKMgOdWDtd6JRUWntEUxcky3sImG0f6oaTrvfHLJk2LqBBaV yyaIlqdD+CZd7nY6qdoDSEQ+1soWX22zqFTh5H5jxZ7LkJOkCRwn+a9az47jtcTIuike JqN+YoP9xX6FVLsLAsCAy2GT6eyYPur61Jp1jLKPV7MDxKHzV2wRX4Cu8FWppCBoDieK WbK+h4FkgQ6N2wDZFgXmXIEQFRw21pzfgoNDuLRxxdrToG7XEumORKhAFptr4Bi+xaA3 xsxBSAGSFtobgdOoeGPvMfMNPR+q07aYDUgpE9M4pPQeKixKMRmTiQaPlssy99rJp+jY gxKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=06WPUsNAnMF00duTwlbVhGj7EynnHp9N3mPJZuHNbXo=; b=az5IELlNVB0PSXM85naogcjWNEtzry5mmqgHZfh7NsHuun/CLlZ6GgcD7IBDcrPDrr sWGf2pJlSeGcNW7V6J1KjgbJrYo/aBtgeGbN87UmwQyvJYuY8nxNOajrDNvLgD/8P4oL pAddLmzIfdCKRCt/xq/+9TUU03O+hotQv7IS4YbBnHFgYlSUmDnkD6cSEsMQKHBAcVjS kKX8cSnRjqolmBc7dsMRI8BWlHzjGwUrmKZ4glKwI2Lj/2SEVxi2quCb10kCzWpp7Hze +3S/60hewDWgVongFJdvgf/Tg14qh9NbqH9a8JRKPBVQoQ1YdS+d6jeiC4ABY73zcycw XXCw==
X-Gm-Message-State: AIVw113FPx/+HrYWaqsrgFlcDQBnfFz8kuHUZY8vbe/pyLKi8H2xlayE AApTsQmBHPJaZEuRxCJg0yFq+2ejbjwZ
X-Received: by 10.129.201.66 with SMTP id c2mr8247538ywl.14.1499581419219; Sat, 08 Jul 2017 23:23:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.27.4 with HTTP; Sat, 8 Jul 2017 23:23:38 -0700 (PDT)
In-Reply-To: <CANBOYLVKFhpWMCbyUhA-jsczJi1ve93pV8QSqrUPB8awhqvawg@mail.gmail.com>
References: <b8baf87c-6648-96aa-4275-924fee07f774@cs.tcd.ie> <12b06aa3-f7dd-ab3e-fa4b-0f8e7ed7c6df@gmail.com> <216678f0-49df-dc88-1181-64a235033819@cs.tcd.ie> <634dbf72eee14617a2359f2792d4aee0@venafi.com> <CANBOYLVKFhpWMCbyUhA-jsczJi1ve93pV8QSqrUPB8awhqvawg@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Sat, 8 Jul 2017 23:23:38 -0700
Message-ID: <CAAF6GDevSdyynqePPzTfva4ZqgB7Qi7v0BZRQ2_roqswBCBo_A@mail.gmail.com>
To: Eric Mill <eric@konklone.com>
Cc: Paul Turner <PAUL.TURNER@venafi.com>, "tls@ietf.org" <tls@ietf.org>, tls chair <tls-chairs@tools.ietf.org>
Content-Type: multipart/alternative; boundary="089e08222864ce05350553dc81a5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zP7K3S0R0ikqfv_Ws1lt1iKHiaE>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jul 2017 06:23:41 -0000

On Sat, Jul 8, 2017 at 6:04 PM, Eric Mill <eric@konklone.com>; wrote:

>
> Stating that proxies are not viable for enterprise organizations due to
> the scale and complexity of their network environments is subjective,
> generally not well-detailed, and much more open to skepticism.
>
> The burden on the proposers should be to address this skepticism, and to
> justify to the working group why enterprises that are large enough and
> well-funded enough to have such vast and complex networks cannot invest in
> upgrading those networks to an approach that doesn't rely on directly
> weakening their own connection security and potentially the security of
> others' through the unintended consequences of formalizing this RFC.
>

TLS1.3 isn't a debate, or a legal argument. It's an actual thing in the
world that we'd like to see succeed and be as pervasive as possible. The
folks reporting saying it won't work are doing us a favor, they don't owe
us anything.

So when those users show up saying "This won't work for me", it is better
to have a very open mind and make every attempt to understand them. If
their explanations are not clear, then burrow further. Be charitable and
lean as heavily towards why they may be right, search for good reasoning in
/their/ favor, and state it as well as it can possibly be presented. Only
on those terms try to tackle it with alternatives.

If the presenters are wrong, and the skepticism is merited, that approach
will still work. But if they happen to be right, it makes the alternatives
or adaptations more clear, or the necessity for them more obvious.
Dismissing concerns with trivial and shallow analysis can serve to diminish
the success of TLS1.3, because the users don't need to adopt it, and can
end up blocking it and creating a failure of "TLS 1.3 doesn't work in XXX
environments".

-- 
Colm