On Tue, Mar 13, 2018 at 1:52 PM, Ted Lemon <mel...@fugue.com> wrote:
> In addition, you are reducing compartmentalization with your keying
> strategy—in order to make communications easily decryptable, you have to
> have broadly-shared keys, and that reduces the amount of
> compartmentalization that TLS can provide between disparate elements in your
> networks.
> We have seen the result of poor compartmentalization on network security—the
> most recent really egregious example being the Equifax, which would have
> been a lot less bad if Equifax had employed the sort of basic
> compartmentalization precautions that the NIST recommends.   Reducing
> compartmentalization inevitably makes it easier for an adversary to
> infiltrate your network and exfiltrate private user data.

And I wonder how come that after all hundreds of discussions the
compartmentalization issue is not addressed properly in draft-fenter.
Because simply stating that "typically, only select groups within an
organization [are able to see decrypted traffic]" doesn't seem enough.

(this is just a single example of an issue with that draft)

| Artyom Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto: xima...@gmail.com
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58

TLS mailing list

Reply via email to