Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Yoav Nir
> On 22 Oct 2017, at 21:40, Ted Lemon wrote: > > On Oct 22, 2017, at 1:54 PM, Russ Housley > wrote: >> No one is requiring TLS 1.3 that I know about. However, there are places >> that require visibility into TLS. I will

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Salz, Rich
➢ I have been saying to anyone who will listen that the IETF needs a private forum for enterprises, to enable them to come forward and discuss their real requirements. Without this input the IETF is trying to architect and engineer solutions without knowing the complete set of requirements, at

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Stephen Farrell
Hi Ted, On 23/10/17 00:35, Ted Lemon wrote: > On Oct 22, 2017, at 7:26 PM, Steve Fenter > wrote: >> I have been saying to anyone who will listen that the IETF needs a >> private forum for enterprises, to enable them to come forward and >> discuss their real

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Ted Lemon
On Oct 22, 2017, at 7:16 PM, Ackermann, Michael wrote: > And out of curiosity, what is the simpler protocol you are recommending? > I say out of curiosity because switching to a whole different protocol is not > likely to be feasible from any perspective for large

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Ted Lemon
On Oct 22, 2017, at 7:26 PM, Steve Fenter wrote: > I have been saying to anyone who will listen that the IETF needs a private > forum for enterprises, to enable them to come forward and discuss their real > requirements. Without this input the IETF is trying to

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Steve Fenter
I know of a number of large enterprises in verticals including financial, health care, retail, and government, across multiple countries, who are using packet payload inspection within their data centers. Most of these enterprises are reluctant to step forward in a public forum and reveal

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Ackermann, Michael
I am willing to bet that his point was not at all that Enterprises could switch quickly, as you say in your response. We do not do ANYTHING quickly. I believe his point was that because we do not move quickly, we need to prepare as much in advance as possible, and assure that the base

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Stephen Farrell
On 22/10/17 21:48, Steve Fenter wrote: > The main problem with not addressing the TLS visibility issue now is > that no one knows when a vulnerability will be discovered in TLS 1.2 > that forces enterprises to upgrade to TLS 1.3. We've had guarantees > that TLS 1.2 and the RSA key exchange are

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Ted Lemon
On Oct 22, 2017, at 4:48 PM, Steve Fenter wrote: > The main problem with not addressing the TLS visibility issue now is that no > one knows when a vulnerability will be discovered in TLS 1.2 that forces > enterprises to upgrade to TLS 1.3. We've had guarantees that

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Blumenthal, Uri - 0553 - MITLL
First they have to go through this vulnerability search dance with TLS-1.1 and achieve a reasonably complete move to TLS-1.2. Regards, Uri Sent from my iPhone > On Oct 22, 2017, at 16:49, Steve Fenter wrote: > > The main problem with not addressing the TLS

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Steve Fenter
The main problem with not addressing the TLS visibility issue now is that no one knows when a vulnerability will be discovered in TLS 1.2 that forces enterprises to upgrade to TLS 1.3. We've had guarantees that TLS 1.2 and the RSA key exchange are going to be fine for 5 to 10 years, but nobody

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Kathleen Moriarty
Sent from my iPhone > On Oct 22, 2017, at 3:24 PM, Kathleen Moriarty > wrote: > > > > Sent from my iPhone > >> On Oct 22, 2017, at 2:40 PM, Ted Lemon wrote: >> >>> On Oct 22, 2017, at 1:54 PM, Russ Housley wrote:

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Kathleen Moriarty
Sent from my iPhone > On Oct 22, 2017, at 2:40 PM, Ted Lemon wrote: > >> On Oct 22, 2017, at 1:54 PM, Russ Housley wrote: >> No one is requiring TLS 1.3 that I know about. However, there are places >> that require visibility into TLS. I will let one

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Ted Lemon
On Oct 22, 2017, at 1:54 PM, Russ Housley wrote: > No one is requiring TLS 1.3 that I know about. However, there are places > that require visibility into TLS. I will let one of the people that works in > a regulated industry offer pointers to the documents. What they

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Blumenthal, Uri - 0553 - MITLL
IMHO, get the TLS-1.3 standard out first, then start mucking with it. There's nothing yet to make "visibility" into. ;-) And in any case I'm against weakening the protocol, since there are other ways to accomplish the perlustrator's mission. Regards, Uri Sent from my iPhone > On Oct 22,

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Russ Housley
Tony: > > Can you provide a *specific citation* as to where you will be *required* to > use TLS 1.3 any time in, say, the next decade? > No one is requiring TLS 1.3 that I know about. However, there are places that require visibility into TLS. I will let one of the people that works in a

Re: [TLS] Connection ID Draft

2017-10-22 Thread Stephen Farrell
On 22/10/17 17:04, Eric Rescorla wrote: > On Sun, Oct 22, 2017 at 8:50 AM, Stephen Farrell > wrote: > >> >> >> On 22/10/17 16:41, Eric Rescorla wrote: >>> Maybe the thing we could agree at this stage is that the cid scheme has to be usable in that

Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

2017-10-22 Thread Dave Garrett
Agreed; this conversation is not going to get anything to a real WG consensus without causing people to flee the WG. The hard sell just makes people more and more skeptical that this is really well intentioned. Please, let's just let this mess die. As Rich Salz has stated previously, we should

Re: [TLS] Connection ID Draft

2017-10-22 Thread Eric Rescorla
On Sun, Oct 22, 2017 at 8:50 AM, Stephen Farrell wrote: > > > On 22/10/17 16:41, Eric Rescorla wrote: > > > >> Maybe the thing we could agree at this stage is that the cid scheme > >> has to be usable in that one-message-per-day scenario and needs to > >> provide some

Re: [TLS] Connection ID Draft

2017-10-22 Thread Stephen Farrell
On 22/10/17 16:41, Eric Rescorla wrote: > >> Maybe the thing we could agree at this stage is that the cid scheme >> has to be usable in that one-message-per-day scenario and needs to >> provide some way that such messages aren't easily linkable based on >> cids. > > I think that's a

Re: [TLS] Connection ID Draft

2017-10-22 Thread Eric Rescorla
On Sun, Oct 22, 2017 at 8:23 AM, Stephen Farrell wrote: > > (Sorry for the slow response...) > > Two things below... > > On 13/10/17 16:58, Eric Rescorla wrote: > > On Fri, Oct 13, 2017 at 7:52 AM, Stephen Farrell < > stephen.farr...@cs.tcd.ie> > > wrote: > > > >> > >>

Re: [TLS] Connection ID Draft

2017-10-22 Thread Stephen Farrell
(Sorry for the slow response...) Two things below... On 13/10/17 16:58, Eric Rescorla wrote: > On Fri, Oct 13, 2017 at 7:52 AM, Stephen Farrell > wrote: > >> >> Hiya, >> >> On 13/10/17 15:29, Eric Rescorla wrote: >>> There are a number of cases where this is