Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Yoav Nir
> On 7 Oct 2017, at 17:17, Nick Sullivan wrote: > > Yoav, > > Let me make a correction to your scenario:. Instead of: > "You’ll need it for Chrome to work with Google." > it's: > "You’ll need it for Chrome to work with Google, Facebook, and most of the 10% > of

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Adam Langley
On Sat, Oct 7, 2017 at 12:17 AM, Hanno Böck wrote: > Alternative proposal: > > 1. Identify the responsible vendors. > 2. Tell all those vendors "You have 1 month to fix this. Fix it. Oh, > it's your customers who don't update? Seems you don't have any > reasonable update system.

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Salz, Rich
> I didn't intend to be arguing with you. I'm happy to present what I have in > Singapore and while I can't speak for others, I expect they would be as well. *I* know you meant everyone else on this thread, and not me. FB and Google folks, will you present at Singapore?

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Eric Rescorla
On Sat, Oct 7, 2017 at 8:25 AM, Salz, Rich wrote: > > > > I suggest we not have this debate now. We'll have a lot more data > towards the end of the month and we can have an informed discussion then. > > > > > > That is what I am asking for. More information so that the entire

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Hanno Böck
Hi, On Fri, 6 Oct 2017 13:16:37 -0700 Eric Rescorla wrote: > - Fall back to TLS 1.2 (as we have unfortunately done for previous > releases) Thinking about this I honestly hope nobody is considering this seriously. This would be an unfixable security design flaw. And it also

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Jeffrey Walton
On Sat, Oct 7, 2017 at 11:25 AM, Salz, Rich wrote: > > >> I suggest we not have this debate now. We'll have a lot more data towards >> the end of the month and we can have an informed discussion then. > > That is what I am asking for. More information so that the entire WG can

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Salz, Rich
> I suggest we not have this debate now. We'll have a lot more data towards the > end of the month and we can have an informed discussion then. That is what I am asking for. More information so that the entire WG can make an informed decision. And I was only laying out an option that does

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Eric Rescorla
On Sat, Oct 7, 2017 at 7:44 AM, Watson Ladd wrote: > On Sat, Oct 7, 2017 at 7:17 AM, Nick Sullivan > wrote: > > Yoav, > > > > Let me make a correction to your scenario:. Instead of: > > "You’ll need it for Chrome to work with Google." > >

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Richard Barnes
On Oct 7, 2017 10:43, "Salz, Rich" wrote: ➢ I don't want to speak for browser vendors, but history suggests that Option 3) may not be a viable one for browsers with a significant market share. They can do what they want, but if they’re “in the rough” on the consensus call, I

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Salz, Rich
➢ I don't want to speak for browser vendors, but history suggests that Option 3) may not be a viable one for browsers with a significant market share. They can do what they want, but if they’re “in the rough” on the consensus call, I hope they’ll go along. As for yoav’s point about “not

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Nick Sullivan
Yoav, Let me make a correction to your scenario:. Instead of: "You’ll need it for Chrome to work with Google." it's: "You’ll need it for Chrome to work with Google, Facebook, and most of the 10% of Alexa top million sites that are using Cloudflare." TLS 1.3 (in on draft version or another) is

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Eric Rescorla
On Sat, Oct 7, 2017 at 2:57 AM, Ilari Liusvaara wrote: > On Fri, Oct 06, 2017 at 01:16:37PM -0700, Eric Rescorla wrote: > > Hi folks, > > > > In Prague I mentioned that we were seeing evidence of increased > > failures with TLS 1.3 which we believed were due to

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Yoav Nir
> On 7 Oct 2017, at 4:01, Salz, Rich wrote: > > Thanks very much for the update. > > There is a third option, name the devices which are known to cause problems, > and move forward with the draft as-is. +1. I like this third option. > 2. Tell all those vendors "You have 1

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Ilari Liusvaara
On Fri, Oct 06, 2017 at 01:16:37PM -0700, Eric Rescorla wrote: > Hi folks, > > In Prague I mentioned that we were seeing evidence of increased > failures with TLS 1.3 which we believed were due to middleboxes. In > the meantime, several of us have done experiments on this, and I > wanted to

Re: [TLS] Update on TLS 1.3 Middlebox Issues

2017-10-07 Thread Hanno Böck
Alternative proposal: 1. Identify the responsible vendors. 2. Tell all those vendors "You have 1 month to fix this. Fix it. Oh, it's your customers who don't update? Seems you don't have any reasonable update system. Call your customers, send some support staff to them. Fix this. Now." 3. Call