Re: [TLS] TLS1.3 + PSK with multiple identities

2016-10-03 Thread Olivier Levillain
Hi list, I have been working in the labs at ANSSI (the French Network and Information System Agency) for several years and I just defended my PhD thesis on the TLS ecosystem (documents are available at http://paperstreet.picty.org/~yeye/2016/phdthesis-Levillain16/). >> On Mon, 2016-09-19 at

Re: [TLS] Industry Concerns about TLS 1.3

2016-10-03 Thread Tony Arcieri
On Mon, Oct 3, 2016 at 2:21 PM, BITS Security wrote: > If PCI has mandated upgrading TLS because of vulnerabilities, they are > likely to do it again and in fact have provided strong hints to the market > where they should be beyond the minimum requirement itself.

Re: [TLS] Industry Concerns about TLS 1.3

2016-10-03 Thread Watson Ladd
> > If you look at the industry reports like the Verizon PCI Breach and Compliance Reports, private keys simply aren't being stolen. Maybe there is an outlier or two but there certainly isn't a documented trend I can find. If you have contravening information to provide I am all ears. Surely

Re: [TLS] Industry Concerns about TLS 1.3

2016-10-03 Thread Jeffrey Walton
> PCI requirement providing Intrusion Detection at the entrance to Cardholder > Data Environments as well as at critical points inside the Cardholder Data > Environment. Intrusion Detection requires decryption of TLS. For some > large, complex organizations this can be a large number of

Re: [TLS] Industry Concerns about TLS 1.3

2016-10-03 Thread BITS Security
> I work firsthand enforcing these requirements at a payments company. Again, I > do not speak on behalf of my employer. > It wasn't until last year that PCI decided to deprecate TLS 1.0, at the time > a 16 year old standard. I think your sense of emergency is highly > over-exaggerated. >

Re: [TLS] Industry Concerns about TLS 1.3

2016-10-03 Thread BITS Security
> > The various suggestions for creating fixed/static Diffie Hellman keys raise > > interesting possibilities. We would like to understand these ideas better > > at a technical level and are initiating research into this potential > > solution. We need to understand the potential

[TLS] [Editorial Errata Reported] RFC6066 (4817)

2016-10-03 Thread RFC Errata System
The following errata report has been submitted for RFC6066, "Transport Layer Security (TLS) Extensions: Extension Definitions". -- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6066=4817