I will pretty much repeat what I said below.   Significant fundamental 
infrastructure changes,  are very difficult for very large organizations to 
assimilate.   Because of time and resource issues,  large organizations would 
seek to avoid major, overhaul type changes,  wherever possible.    The larger 
the organization,  the more ominous such challenges become.   I am sure I am 
not telling you anything you do not already know.  
But,    "Not making any changes" does not fall into this category.  
The fact that Enterprises are finally coming to the IETF table,  should be 
sufficient to show the willingness to be involved,  flexible,  compromise and 
yes................. change as necessary.  
From the beginning,  many Enterprises have waned nothing more than to have 
their use cases accepted as valid,  by the IETF,  and to collaborate with the 
IETF SMEs,  on crafting optimal solutions.  
I guess I am personally  still naïve enough to believe this can occur.  

To keep using TLS1.2 has been proposed and discussed many times over the past 
year or so and is not acceptable for many reasons outlined in Steve Fenters 
draft.  So I will refer to that, rather than add repetition to the list.  But 
suffice to say it is well beyond PCI for most Enterprises.  

-----Original Message-----
From: Ted Lemon [mailto:mel...@fugue.com] 
Sent: Tuesday, March 13, 2018 4:28 PM
To: Ackermann, Michael <mackerm...@bcbsm.com>
Cc: nalini elkins <nalini.elk...@e-dco.com>; <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted

On Mar 13, 2018, at 3:20 PM, Ackermann, Michael <mackerm...@bcbsm.com> wrote:
> I think that most Enterprises are not espousing any conversations "how can we 
> avoid making any changes?"

With respect, Michael, when I have conversed with you about this in the past, 
that is precisely what you have asked for.   You do not want to have to change 
your operational methodology, and any change to TLS that forces you to change 
your operational methodology is unacceptable to you.  I understand why that is, 
and I sympathize, but let's please be clear that this is your precise goal.

> But we would seek to avoid unnecessary,  wholesale, infrastructure 
> architectural changes.

There's an easy way to do this, although as a sometime bank security geek I 
would strongly advise you to not do it: keep using TLS 1.2.

Of course, you've also explained why that isn't acceptable to you—you are 
afraid that the payment card industry will eventually force you to use TLS 1.3, 
just as they have, rather ineffectively, tried to insist that you use TLS 1.2.

Now why would they do that?

The information contained in this communication is highly confidential and is 
intended solely for the use of the individual(s) to whom this communication is 
directed. If you are not the intended recipient, you are hereby notified that 
any viewing, copying, disclosure or distribution of this information is 
prohibited. Please notify the sender, by electronic mail or telephone, of any 
unintended receipt and delete the original message without making any copies.
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are 
nonprofit corporations and independent licensees of the Blue Cross and Blue 
Shield Association.
TLS mailing list

Reply via email to