Re: [TLS] Industry Concerns about TLS 1.3

On Sat, Oct 1, 2016 at 4:23 AM, Peter Gutmann wrote: > Ryan Carboni writes: > > >I've never quite understood what TLS was supposed to be protecting > against, > >and whether or not it has done so successfully, or has the potential to > do so >

Re: [TLS] Industry Concerns about TLS 1.3

as the canary in the coalmine... but here we are now at least. - Andrew -Original Message- From: Florian Weimer [mailto:f...@deneb.enyo.de] Sent: Wednesday, October 5, 2016 2:17 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns abo

Re: [TLS] Industry Concerns about TLS 1.3

* BITS Security: > Deprecation of the RSA key exchange in TLS 1.3 will cause significant > problems for financial institutions, almost all of whom are running > TLS internally and have significant, security-critical investments in > out-of-band TLS decryption. > > Like many enterprises,

Re: [TLS] Industry Concerns about TLS 1.3

On Mon, Oct 3, 2016 at 2:21 PM, BITS Security wrote: > If PCI has mandated upgrading TLS because of vulnerabilities, they are > likely to do it again and in fact have provided strong hints to the market > where they should be beyond the minimum requirement itself.

Re: [TLS] Industry Concerns about TLS 1.3

> From: Tony Arcieri [mailto:basc...@gmail.com] > Sent: Tuesday, September 27, 2016 4:17 PM > To: BITS Security <bitssecur...@fsroundtable.org> > Cc: Peter Bowen <pzbo...@gmail.com>; tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > On Mo

Re: [TLS] Industry Concerns about TLS 1.3

> PCI requirement providing Intrusion Detection at the entrance to Cardholder > Data Environments as well as at critical points inside the Cardholder Data > Environment. Intrusion Detection requires decryption of TLS. For some > large, complex organizations this can be a large number of

Re: [TLS] Industry Concerns about TLS 1.3

rs. - Andrew From: Tony Arcieri [mailto:basc...@gmail.com] Sent: Tuesday, September 27, 2016 4:17 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: Peter Bowen <pzbo...@gmail.com>; tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On Mon, Sep 26, 2016 at 12:

Re: [TLS] Industry Concerns about TLS 1.3

could undermine this solution. Appreciate it. - Andrew -Original Message- From: Seth David Schoen [mailto:sch...@eff.org] Sent: Tuesday, September 27, 2016 2:30 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns

Re: [TLS] Industry Concerns about TLS 1.3

Ryan Carboni writes: >I've never quite understood what TLS was supposed to be protecting against, >and whether or not it has done so successfully, or has the potential to do so >successfully. It's the Inside-Out Thread Model (also shared by a number of other security

Re: [TLS] Industry Concerns about TLS 1.3

Hi Ryan, people working in the security field know what features TLS provides and those are highly valued since otherwise it wouldn't be used so widely. I prefer to finalize the work on TLS 1.3 as planned. There are various groups successfully working on their implementations and I am looking

Re: [TLS] Industry Concerns about TLS 1.3

I've never quite understood what TLS was supposed to be protecting against, and whether or not it has done so successfully, or has the potential to do so successfully. Well, I don't think anyone here even knows how to protect a mailing list from multi-billion dollar threat actors so...??? Let me

Re: [TLS] Industry Concerns about TLS 1.3

On 9/28/16 at 4:27 PM, melinda.sh...@nomountain.net (Melinda Shore) wrote: That said, IETF participation is dominated by large equipment and software vendors and the problem space, at least until recently (there's been a crop of data center-related problems coming up in OPS and routing), has

Re: [TLS] Industry Concerns about TLS 1.3

On Wed, Sep 28, 2016 at 5:49 PM, Melinda Shore wrote: > I think it's quite clearly the case that that is not going to happen. > But, that doesn't mean that these guys don't have a problem worth > addressing, even if they're asking for a crap solution to it. The >

Re: [TLS] Industry Concerns about TLS 1.3

On 9/28/16 4:36 PM, Tony Arcieri wrote: > The IETF is doing great work. This entire thread is a distraction, and I > hope it does not result in changes which weaken TLS 1.3's security. I think it's quite clearly the case that that is not going to happen. But, that doesn't mean that these guys

Re: [TLS] Industry Concerns about TLS 1.3

On Wed, Sep 28, 2016 at 4:27 PM, Melinda Shore wrote: > We have poor participation and representation from > enterprise networks. So now we've got someone showing up from > the enterprise space and saying "I have this problem related to > protocol changes." And

Re: [TLS] Industry Concerns about TLS 1.3

On 9/28/16 3:08 PM, Bill Frantz wrote: > On 9/28/16 at 2:01 AM, m...@sap.com wrote: >> I'm sorry, but I'm still violently opposed to the IETF endorsing >> backdooring of security protocols. > I find myself in violent agreement with Martin, and many others in the > IETF. This seems uncontroversial

Re: [TLS] Industry Concerns about TLS 1.3

> On 28 Sep 2016, at 7:16 PM, Dan Brown wrote: > > As I understand the concern, the worry is that Bud is compromising Bob's > (TLS) server, to somehow send Bob's plaintext to the wrong place. > > The proposed (existing?) strategy has Bob compromising his own >

Re: [TLS] Industry Concerns about TLS 1.3

Martin Rex wrote: > Stephen Farrell wrote: > > > > On 28/09/16 01:17, Seth David Schoen wrote: > > > People with audit authority can then know all of the secrets, > > > > How well does that whole audit thing work in the financial services > > industry? (Sorry, couldn't resist:-) > > I am

Re: [TLS] Industry Concerns about TLS 1.3

Stephen Farrell wrote: > > On 28/09/16 01:17, Seth David Schoen wrote: > > People with audit authority can then know all of the secrets, > > How well does that whole audit thing work in the financial services > industry? (Sorry, couldn't resist:-) I am actually having serious doubts that it

Re: [TLS] Industry Concerns about TLS 1.3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Aloha! Salz, Rich wrote: >> I understand your concern over what the nation-state actors are >> doing but it is not the same as what Enterprises do to manage their >> private servers, networks and clients. > > Okay, in technical terms only, what is

Re: [TLS] Industry Concerns about TLS 1.3

Judson Wilson wrote: > > I think this challenge is best solved by putting the information on the > wire in some way, possibly as a special industry-specific extension (used > only by those who are bent on shooting themselves in the foot). The benefit > being that if the TLS channel is alive, the

Re: [TLS] Industry Concerns about TLS 1.3

Hi Andrew, I am coming from a different industry, the embedded industry, and for us at ARM the development of TLS 1.3 will help us to increase the security of Internet of Things devices as well as to improve the performance of the handshake. We are reaching out to developers and our partners to

Re: [TLS] Industry Concerns about TLS 1.3

On 28/09/16 01:17, Seth David Schoen wrote: > People with audit authority can then know all of the secrets, How well does that whole audit thing work in the financial services industry? (Sorry, couldn't resist:-) S. smime.p7s Description: S/MIME Cryptographic Signature

Re: [TLS] Industry Concerns about TLS 1.3

Seth David Schoen writes: > This configuration might be a bit dangerous because it means that > "servers, firewalls, load balancers, Internet proxies, and mainframes" > would all possess the information needed to decrypt _each other's_ > traffic, so someone inside or outside the organization who

Re: [TLS] Industry Concerns about TLS 1.3

ssl-and-early-tls> Thanks, Ron From: TLS <tls-boun...@ietf.org> on behalf of Tony Arcieri <basc...@gmail.com> Date: Tuesday, September 27, 2016 at 1:17 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: Jeffrey Walton <tls@ietf.org> Subject: Re: [TLS] Industry Concerns

Re: [TLS] Industry Concerns about TLS 1.3

On Mon, Sep 26, 2016 at 12:01 PM, BITS Security < bitssecur...@fsroundtable.org> wrote: > The PCI DSS is already requiring TLS 1.2 for financial institutions that > participate in the Payment Card Industry. .BANK (exclusive top level > banking domain) is also planning to require TLS 1.2. We're

Re: [TLS] Industry Concerns about TLS 1.3

.@fsroundtable.org> > Cc: Eric Rescorla <e...@rtfm.com>; tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > On Tue, Sep 27, 2016 at 06:07:28PM +, BITS Security wrote: >> Hi Eric--Thank you for the prompt. >> >> Our requirements are for the s

Re: [TLS] Industry Concerns about TLS 1.3

On Mon, Sep 26, 2016 at 4:55 PM, Martin Rex wrote: > And no, there can not be any valid regulations to require such > monitoring, because _every_ to the secrecy provisions and criminalization > requires an explicit law from the parlamentarian legislator. GDPR Article 88 leaves

Re: [TLS] Industry Concerns about TLS 1.3

BITS Security writes: > The various suggestions for creating fixed/static Diffie Hellman keys raise > interesting possibilities. We would like to understand these ideas better at > a technical level and are initiating research into this potential solution. > We need to understand the

Re: [TLS] Industry Concerns about TLS 1.3

] Sent: Tuesday, September 27, 2016 2:24 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: Eric Rescorla <e...@rtfm.com>; tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On Tue, Sep 27, 2016 at 06:07:28PM +, BITS Security wrote: > Hi Eric--Thank you

Re: [TLS] Industry Concerns about TLS 1.3

> On 27 Sep 2016, at 11:33 AM, Judson Wilson wrote: > > > > Yes, I know that changed. It was an example of something that works with > TLS 1.2 even when PFS is used. With TLS 1.3 server or client implementations > can find other ways to retain long-term records of

Re: [TLS] Industry Concerns about TLS 1.3

On Tue, Sep 27, 2016 at 06:07:28PM +, BITS Security wrote: > Hi Eric--Thank you for the prompt. > > Our requirements are for the same capabilities we have today with TLS > 1.2, namely to be able to take a trace anywhere in our enterprise and > decrypt it out of band (assuming that we own

Re: [TLS] Industry Concerns about TLS 1.3

this to our attention. - Andrew From: hugok...@gmail.com [mailto:hugok...@gmail.com] On Behalf Of Hugo Krawczyk Sent: Thursday, September 22, 2016 7:41 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 If the p

Re: [TLS] Industry Concerns about TLS 1.3

PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: Salz, Rich <rs...@akamai.com>; nalini.elk...@insidethestack.com; tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 Andrew, What would probably be most helpful here would be if you tried to describe what yo

Re: [TLS] Industry Concerns about TLS 1.3

Andrei Popov writes: >Won’t the TLS WG stop addressing newly found protocol-level security issues >in TLS 1.2 at some point in the future? They already have, which is the point of TLS-LTS.  Since that fixes all known issues (and that also includes long-standing

Re: [TLS] Industry Concerns about TLS 1.3

> > Yes, I know that changed. It was an example of something that works with > TLS 1.2 even when PFS is used. With TLS 1.3 server or client > implementations > can find other ways to retain long-term records of session keys. The > capability > to do that is not a requisite or desirable protocol

Re: [TLS] Industry Concerns about TLS 1.3

> On Sep 26, 2016, at 7:21 PM, Eric Rescorla wrote: > > There are other ways to accomplish this. For example, the server might > use session ticket keys that are stored centrally encrypted under a > suitable escrow key. If clients always enable session tickets, then > every

Re: [TLS] Industry Concerns about TLS 1.3

On Mon, Sep 26, 2016 at 4:09 PM, Viktor Dukhovni wrote: > > There are other ways to accomplish this. For example, the server might > use session ticket keys that are stored centrally encrypted under a > suitable escrow key. If clients always enable session tickets, then

Re: [TLS] Industry Concerns about TLS 1.3

> On Sep 26, 2016, at 3:23 PM, BITS Security > wrote: > > That said, at least one of the sites you mentioned was known to have an APT > inside their perimeter (Operation Aurora) for about a month and part of the > tactics within that attack which was publicly

Re: [TLS] Industry Concerns about TLS 1.3

BITS Security writes: > Outbound TLS connections require MITM for decryption. Inbound or > internal TLS connections can be decrypted with an RSA private key > under TLS 1.2. It would be unwise to build a security or regulatory structure on the principle that MITM

Re: [TLS] Industry Concerns about TLS 1.3

l.com> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 Andrew, Then I think your option is to persuade the regulators not to require TLS 1.3 for internal networks. Also, unlike SSL 3.0 - TLS 1.1, TLS 1.2 is not currently known to be weak or insecure, if properly

Re: [TLS] Industry Concerns about TLS 1.3

to keep using TLS 1.2 internally. Best, Xiaoyin From: BITS Security<mailto:bitssecur...@fsroundtable.org> Sent: Monday, September 26, 2016 3:02 PM To: Peter Bowen<mailto:pzbo...@gmail.com> Cc: tls@ietf.org<mailto:tls@ietf.org> Subject: Re: [TLS] Industry Concerns abou

Re: [TLS] Industry Concerns about TLS 1.3

tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 nalini.elk...@insidethestack.com writes: > [ Unknown encryption status ] > [ Unknown signature status ] > > > >>> >>> What I am saying,  in relation to your "Delivering a stable product" 

Re: [TLS] Industry Concerns about TLS 1.3

tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On Fri, Sep 23, 2016 at 2:10 PM, BITS Security <bitssecur...@fsroundtable.org> wrote: > we need a better option than TLS 1.2 that will, perhaps sooner than we might > expect, be deprecated. I'm somewhat confused here. The

Re: [TLS] Industry Concerns about TLS 1.3

Pawel Jakub Dawidek wrote: > > Because of that, every corporate network needs visibility inside TLS > traffic not only incoming, but also outgoing, so they can not only > debug, but also look for data leaks, malware, etc. There may be a some countries with poor civil liberty protections where

Re: [TLS] Industry Concerns about TLS 1.3

; -Original Message- > From: Salz, Rich [mailto:rs...@akamai.com] > Sent: Saturday, September 24, 2016 10:10 PM > To: Ackermann, Michael <mackerm...@bcbsm.com>; Pawel Jakub Dawidek < > p.dawi...@wheelsystems.com>; tls@ietf.org > Subject: RE: [TLS] Industry Co

Re: [TLS] Industry Concerns about TLS 1.3

Thijs van Dijk wrote: > > Regular clients, no. > But this would be a useful addition to debugging / scanning suites (e.g. > Qualys), or browser extensions for the security conscious (e.g. CertPatrol). With FREAK and LOGJAM attacks, there is a significant difference in effort between servers

Re: [TLS] Industry Concerns about TLS 1.3

On Sun, Sep 25, 2016 at 2:20 PM, Ackermann, Michael wrote: > > Again, let me restate, I don't think anyone is saying that we MUST have > RSA.But, we, as the clients of the IETF TLS protocol, would like to > work with you to assure we have workable, manageable and

Re: [TLS] Industry Concerns about TLS 1.3

t; -Original Message----- >> From: Jeffrey Walton [mailto:noloa...@gmail.com] >> Sent: Friday, September 23, 2016 10:55 AM >> To: Ackermann, Michael <mackerm...@bcbsm.com> >> Cc: BITS Security <bitssecur...@fsroundtable.org>; tls@ietf.org &

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 03:29:42PM -0400, Dave Garrett wrote: > > Yes, all of these other channels are protected using TLS... which you > do not control in any way. Also, many sites/services already prioritize > FS cipher suites, so the deprecation of plain RSA key exchange doesn't > actually

Re: [TLS] Industry Concerns about TLS 1.3

these two discrete factions with differing perspectives. -Original Message- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Pawel Jakub Dawidek Sent: Saturday, September 24, 2016 2:54 AM To: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 Hello. As a vendor

Re: [TLS] Industry Concerns about TLS 1.3

> we need a better option than TLS 1.2 that will, > perhaps sooner than we might expect, be deprecated. Why? ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Industry Concerns about TLS 1.3

On 9/23/16 at 2:24 PM, bitssecur...@fsroundtable.org (BITS Security) wrote: But general-purpose messaging services (and other collaboration services) which don’t have an explicit man-in-the-middle (and don’t permit server-side access to user plaintext and can’t be observed by other means)

Re: [TLS] Industry Concerns about TLS 1.3

On Fri, Sep 23, 2016 at 2:10 PM, BITS Security wrote: > we need a better option than TLS 1.2 that will, perhaps sooner than we might > expect, be deprecated. I'm somewhat confused here. The concern over RSA for key exchange versus DH for key exchange would only

Re: [TLS] Industry Concerns about TLS 1.3

Andrew, You are requesting a major design change at the last minute, to restore a problematic feature that was removed due to its negative security impact. You should understand from the beginning that this is an extreme request. Moreso, you should understand that others in your industry have

Re: [TLS] Industry Concerns about TLS 1.3

On Fri, Sep 23, 2016 at 5:34 PM, BITS Security wrote: >> you can keep using TLS1.2 in your internal network, can't you? > > There are both public and private sector regulators arcing towards being more > prescriptive in this area. It is possible, if not likely, in

Re: [TLS] Industry Concerns about TLS 1.3

ilto:xiaoyi...@outlook.com] Sent: Friday, September 23, 2016 5:00 PM To: BITS Security <bitssecur...@fsroundtable.org>; Salz, Rich <rs...@akamai.com>; nalini.elk...@insidethestack.com Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 Andrew,   I don't understand wh

Re: [TLS] Industry Concerns about TLS 1.3

. The word scalable has a meaning. MITM scales linearly. > --Andrew > > > -Original Message- > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Watson Ladd > Sent: Friday, September 23, 2016 11:44 AM > To: Ackermann, Michael <mackerm...@bcbsm.com> >

Re: [TLS] Industry Concerns about TLS 1.3

onbl...@gmail.com] Sent: Thursday, September 22, 2016 3:06 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On Thu, Sep 22, 2016 at 10:19 AM, BITS Security <bitssecur...@fsroundtable.org> wrote: > To: IETF TL

Re: [TLS] Industry Concerns about TLS 1.3

Andrew, On 23/09/16 21:31, BITS Security wrote: > We do however want to raise our concern (and hopefully your > awareness) of what appears to be an unintended consequence of the > move to PFS-only choices. I don't believe I've heard anything in this discussion so far that wasn't well-known and

Re: [TLS] Industry Concerns about TLS 1.3

ann, Michael <mackerm...@bcbsm.com> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 You are implicitly suggesting to remove perfect-forward-secrecy as soon as a TLS flow is created by the CDN. However these packets will still be traveling over the public Internet and/or

Re: [TLS] Industry Concerns about TLS 1.3

kamai.com>; nalini.elk...@insidethestack.com<mailto:nalini.elk...@insidethestack.com> Cc: tls@ietf.org<mailto:tls@ietf.org> Subject: Re: [TLS] Industry Concerns about TLS 1.3 Rich (et al.) -- I understand where you are coming from but I will poke a little bit at this portray

Re: [TLS] Industry Concerns about TLS 1.3

> What is happening from our perspective is choice is being removed and an > adequate replacement has (seemingly) not been identified. So far I've seen two alternatives mentioned. Monitor at the endpoint, and use TLS 1.2. (You already have the PFS issue with TLS 1.1 and beyond). Not

Re: [TLS] Industry Concerns about TLS 1.3

Friday, September 23, 2016 3:08 PM > To: nalini.elk...@insidethestack.com > Cc: tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > > > It would be very interesting to get the network diagnostic and > operations people (rather than the architects) of t

Re: [TLS] Industry Concerns about TLS 1.3

> On 23 Sep 2016, at 10:08 PM, Salz, Rich wrote: > > > Look, pretty much the entire world is being spied on by national-scale > adversaries who are recording all traffic for eventual decryption and > correlation. *Almost everyone* is having their traffic surveilled. The >

Re: [TLS] Industry Concerns about TLS 1.3

: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 > It would be very interesting to get the network diagnostic and operations > people (rather than the architects) of the above companies involved in this > conversation. Nothing has ever stopped them. Never. Part

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 05:19:48PM +, BITS Security wrote: > To: IETF TLS 1.3 Working Group Members > > Deprecation of the RSA key exchange in TLS 1.3 will cause significant > problems for financial institutions, almost all of whom are running > TLS internally and have significant,

Re: [TLS] Industry Concerns about TLS 1.3

I work in the payments industry, but I am not speaking on behalf of my employer. I would like to note that if the approaches outlined in the "BITS Security" post are the preferred ones for the companies they represent, those companies have made a huge strategic blunder and should correct those

Re: [TLS] Industry Concerns about TLS 1.3

What exactly is the problem you are concerned with? As I've pointed out previously one can still log the contents of TLS protected connections: you do this at the client, or with an intercepting proxy. What information does this not get you that you need on the network? For enterprises using

Re: [TLS] Industry Concerns about TLS 1.3

> Look, pretty much the entire world is being spied on by national-scale > adversaries who are recording all traffic for eventual decryption and > correlation. *Almost everyone* is having their traffic surveilled. The > problems of debugging a set of enterprise apps doesn’t amount to a hill of

Re: [TLS] Industry Concerns about TLS 1.3

never leaves the virtual server. --Andrew -Original Message- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Watson Ladd Sent: Friday, September 23, 2016 11:44 AM To: Ackermann, Michael <mackerm...@bcbsm.com> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On

Re: [TLS] Industry Concerns about TLS 1.3

> It would be very interesting to get the network diagnostic and operations > people (rather than the architects) of the above companies involved in this > conversation. Nothing has ever stopped them. Never. Participation is as simple as joining a mailing list. The IETF has been doing SSL

Re: [TLS] Industry Concerns about TLS 1.3

> From: Watson Ladd [mailto:watsonbl...@gmail.com] > Sent: Friday, September 23, 2016 11:44 AM > To: Ackermann, Michael <mackerm...@bcbsm.com> > Cc: noloa...@gmail.com; tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > On Fri, Sep 23, 2016 at 8:31 AM

Re: [TLS] Industry Concerns about TLS 1.3

Message- From: Watson Ladd [mailto:watsonbl...@gmail.com] Sent: Friday, September 23, 2016 11:44 AM To: Ackermann, Michael <mackerm...@bcbsm.com> Cc: noloa...@gmail.com; tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On Fri, Sep 23, 2016 at 8:31 AM, Ackermann, Michael &l

Re: [TLS] Industry Concerns about TLS 1.3

ay, September 23, 2016 10:55 AM > To: Ackermann, Michael <mackerm...@bcbsm.com> > Cc: BITS Security <bitssecur...@fsroundtable.org>; tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > On Fri, Sep 23, 2016 at 10:46 AM, Ackermann, Michael <mackerm...@bc

Re: [TLS] Industry Concerns about TLS 1.3

<bitssecur...@fsroundtable.org> Cc: tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 If the problem is the use of forward secrecy then there is a simple solution, don't use it. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/m

Re: [TLS] Industry Concerns about TLS 1.3

On Fri, Sep 23, 2016 at 10:46 AM, Ackermann, Michael wrote: > From the perspective an Enterprise that runs these applications and has > invested HEAVILY in the debugging networks. > > The reason we are debugging these networks is so that "The 5-6 order of >

Re: [TLS] Industry Concerns about TLS 1.3

y, September 23, 2016 4:06 AM To: Yuhong Bao <yuhongbao_...@hotmail.com>; BITS Security <bitssecur...@fsroundtable.org>; tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On 22/09/16 19:36, Yuhong Bao wrote: > This also reminds me of > https://bugzilla.mozilla.or

Re: [TLS] Industry Concerns about TLS 1.3

9:48 AM > To: tls@ietf.org > Subject: [TLS] Industry Concerns about TLS 1.3 > > To:  IETF TLS 1.3 Working Group Members > > My name is Andrew Kennedy and I work at BITS, the technology policy division > of the Financial Services Roundtable (http://www.fsroundtable.org/bits).  My

Re: [TLS] Industry Concerns about TLS 1.3

bad decision if I'm following it correctly. S. > > > From: TLS <tls-boun...@ietf.org> on behalf of BITS Security > <bitssecur...@fsroundtable.org> > Sent: Thursday, September 22, 2016 10:19:48 AM > To: tls@ietf.org > Subject: [

Re: [TLS] Industry Concerns about TLS 1.3

On 23 September 2016 at 04:04, Colm MacCárthaigh wrote: > If the problem is the use of forward secrecy then there is a simple solution, don't use it. That is, you can, as a server, have a fixed key_share for which the secret exponent becomes the private key

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 8:53 PM, Geoffrey Keating wrote: > Ryan Carboni writes: > > > in the internet of things, DH is actually > > less secure than normal public key exchange. Servers are more likely to > > have entropy than embedded devices. > > I think

Re: [TLS] Industry Concerns about TLS 1.3

Ryan Carboni writes: > in the internet of things, DH is actually > less secure than normal public key exchange. Servers are more likely to > have entropy than embedded devices. I think that's backwards; in a 'normal' public key exchange, it is the client that generates the

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 4:59 PM, Hugo Krawczyk wrote: > On Thu, Sep 22, 2016 at 7:50 PM, Colm MacCárthaigh > wrote: > >> On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk >> wrote: >> >>> If the problem is the use of forward

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk wrote: > If the problem is the use of forward secrecy then there is a simple > solution, don't use it. > That is, you can, as a server, have a fixed key_share for which the secret > exponent becomes the private key exactly as

Re: [TLS] Industry Concerns about TLS 1.3

day, September 22, 2016 10:19:48 AM To: tls@ietf.org<mailto:tls@ietf.org> Subject: [TLS] Industry Concerns about TLS 1.3 To: IETF TLS 1.3 Working Group Members My name is Andrew Kennedy and I work at BITS, the technology policy division of the Financial Services Roundtable (http://www.fsroundtab

Re: [TLS] Industry Concerns about TLS 1.3

i?id=1188657 From: TLS <tls-boun...@ietf.org> on behalf of BITS Security <bitssecur...@fsroundtable.org> Sent: Thursday, September 22, 2016 10:19:48 AM To: tls@ietf.org Subject: [TLS] Industry Concerns about TLS 1.3 To: IETF TLS 1.3 Working Group Members M

Re: [TLS] Industry Concerns about TLS 1.3

Hi, Andrew. Thank you for bringing these concerns to the list. I agree with Kenny that this is rather late, but it’s also true that I don’t think it would change the outcome of the consensus in this working group. The quest to mandate FS in TLS-using applications goes back longer than this

Re: [TLS] Industry Concerns about TLS 1.3

s also reminds me of https://bugzilla.mozilla.org/show_bug.cgi?id=1188657 From: TLS <tls-boun...@ietf.org> on behalf of BITS Security <bitssecur...@fsroundtable.org> Sent: Thursday, September 22, 2016 10:19:48 AM To: tls@ietf.org Subject: [TLS] Indus

Re: [TLS] Industry Concerns about TLS 1.3

Mandating forward secrecy for TLS 1.3+ has been a strong consensus of this working group, so there's no point in myself or any other contributors just mass-replying with a big "no" here. That said, there is one puzzling thing I'm curious about: On Thursday, September 22, 2016 01:19:48 pm BITS

Re: [TLS] Industry Concerns about TLS 1.3

+1 to what Kenny said. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 1:19 PM, BITS Security < bitssecur...@fsroundtable.org> wrote: > Like many enterprises, financial institutions depend upon the ability to > decrypt TLS traffic to implement data loss protection, intrusion detection > and prevention, malware detection, packet capture and

Re: [TLS] Industry Concerns about TLS 1.3

Hi Andrew, My view concerning your request: no. Rationale: We're trying to build a more secure internet. Meta-level comment: You're a bit late to the party. We're metaphorically speaking at the stage of emptying the ash trays and hunting for the not quite empty beer cans. More exactly, we

Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 10:19 AM, BITS Security wrote: > To: IETF TLS 1.3 Working Group Members > > My name is Andrew Kennedy and I work at BITS, the technology policy division > of the Financial Services Roundtable (http://www.fsroundtable.org/bits). My >

[TLS] Industry Concerns about TLS 1.3

To: IETF TLS 1.3 Working Group Members My name is Andrew Kennedy and I work at BITS, the technology policy division of the Financial Services Roundtable (http://www.fsroundtable.org/bits). My organization represents approximately 100 of the top 150 US-based financial services companies