Andrew, You are requesting a major design change at the last minute, to restore a problematic feature that was removed due to its negative security impact. You should understand from the beginning that this is an extreme request. Moreso, you should understand that others in your industry have no problem complying with US and international regulations, while using PFS cipher suites.
I am personally aware of two of the largest financial organizations in the US that actually require PFS suites for all internal and external applications, and use endpoint security applications to handle this issue. It may not be as convenient as what you are doing now, but it is a problem that has already been solved, and solved effectively. Before claiming that the IETF is eliminating your choice, you may want to take a closer look at how those your industry have already dealt with this. There are effective solutions that have already been mentioned, that don’t involve reducing the security of every TLS user around the globe. Personally, I agree completely with Kenny’s response - the answer is simply no. It’s too large of a change, it has too large of a security impact, and there are established solutions to address your issues. -- Adam Caudill a...@adamcaudill.com http://adamcaudill.com/ > On Sep 23, 2016, at 5:34 PM, BITS Security <bitssecur...@fsroundtable.org> > wrote: > >> you can keep using TLS1.2 in your internal network, can't you? > > There are both public and private sector regulators arcing towards being more > prescriptive in this area. It is possible, if not likely, in the not too > distant future that my member companies will not have the choice to > "downgrade" to "obsolete" TLS versions. > > Note: the standards track document says it "Obsoletes: RFC 5246" which is TLS > 1.2. That's a signal that may prove difficult to divert in this rapidly > evolving threat and regulatory environment. > > - Andrew >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
