Re: [TLS] network-based security solution use cases

Mon, 06 Nov 2017 18:48:07 -0800 


On 11/5/17 10:31 AM, Florian Weimer wrote:

* Nancy Cam-Winget:


@IETF99, awareness was raised to some of the security WGs (thanks
Kathleen ☺) that TLS 1.3 will obscure visibility currently afforded in
TLS 1.2 and asked what the implications would be for the security
solutions today.
https://tools.ietf.org/html/draft-camwinget-tls-use-cases-00 is an
initial draft to describe some of the impacts relating to current
network security solutions.  The goal of the draft is NOT to propose
any solution as a few have been proposed, but rather to raise
awareness to how current network-based security solutions work today
and their impact on them based on the current TLS 1.3 specification.

I'm not sure if this approach is useful, I'm afraid.  The draft is
basically a collection of man-in-the-middle attacks many people would
consider benign.  It's unclear where the line is drawn: traffic
optimization/compression and ad suppression/replacement aren't
mentioned, for example, and I would expect both to be rather low on
the scale of offensiveness.

We didn't draw any particular line, but the use case scenarios that we 
tried to highlight are those related to overall security and regulatory 
requirements (including public sector) where a network-based solution 
currently exists, and (we believe) is not easily replaced. A number of 
these are routinely encountered in present-day enterprise, cloud and 
public sector, and we believe they will continue to be relevant. On top 
of that, we have a rapidly expanding base of IoT endpoints with limited 
capabilities, which presents a whole new and highly vulnerable attack 
surface.



What the draft is essentially arguing is that many user cannot afford
end-to-end encryption for various reasons, some legal, some technical,
some political.  But it seems to me that this is currently not a
viewpoint shared by the IETF.

That is our read of the current situation as well, however the concern 
is that by focusing solely on privacy and e2e security, there are 
additional important considerations that are being ignored. Our intent 
with the draft is to illustrate some of those and see if we can get to 
some consensus around the need to address those (and/or possibly others).


Thanks

-- Flemming



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls






















					Reply via email to