On Tue, Sep 27, 2016 at 11:34 AM, BITS Security < bitssecur...@fsroundtable.org> wrote: > Ilari - I understand yours (and others) view on this but there is no technical reason why this couldn't be part of the standard. A potential solution, like many cipher suite *choices* in past versions of TLS, would be optional and up to both clients and servers to configure what they are willing to support (or not support). You appear to be assuming everyone is running off the same set of requirements (one-size-fits-all) and we are here to tell you that isn't necessarily true.
Why does the TLS 1.3 document need to include this, as opposed to a separate extension? I do think you are ignoring the very real weaknesses your network architecture has: any user account with the ability to decrypt TLS sessions networkwide can easily be a jumping off point for total ownage. Many authentication solutions depend on TLS traffic being secure. Sincerely, Watson Ladd > > - Andrew > > > > > -----Original Message----- > From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] > Sent: Tuesday, September 27, 2016 2:24 PM > To: BITS Security <bitssecur...@fsroundtable.org> > Cc: Eric Rescorla <e...@rtfm.com>; tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > On Tue, Sep 27, 2016 at 06:07:28PM +0000, BITS Security wrote: >> Hi Eric--Thank you for the prompt. >> >> Our requirements are for the same capabilities we have today with TLS >> 1.2, namely to be able to take a trace anywhere in our enterprise and >> decrypt it out of band (assuming that we own the TLS server). This >> includes traces taken from physical taps, traces from span or mirror >> ports, traces from the virtual environment, and/or traces from agents >> on workstations. We need to be able to apply a key to sniffer >> devices, security and fraud monitoring tools, APM devices, and/or TLS >> decryption appliances. > > No changes to standards are going to happen to make that any easier. > Don't waste your time. > > > -Ilari > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls