On Fri, Sep 23, 2016 at 5:34 PM, BITS Security <bitssecur...@fsroundtable.org> wrote: >> you can keep using TLS1.2 in your internal network, can't you? > > There are both public and private sector regulators arcing towards being more > prescriptive in this area. It is possible, if not likely, in the not too > distant future that my member companies will not have the choice to > "downgrade" to "obsolete" TLS versions.
Its not the first time C&A has worked against security. Password complexity and rotation policies come to mind; they cause the security in the system to drop as users are forced to comply. Would a KMIP/KeyServer help? Hosts can ask the key server server for its random key or seed material, and then use them key derivation and for protocol execution. I built a proof of concept interception proxy to do it a few years ago to help understand the intersection a service like CipherCloud with C&A. Jeff _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls