I will pretty much repeat what I said below. Significant fundamental
infrastructure changes, are very difficult for very large organizations to
assimilate. Because of time and resource issues, large organizations would
seek to avoid major, overhaul type changes, wherever possible. The larger
the organization, the more ominous such challenges become. I am sure I am
not telling you anything you do not already know.
But, "Not making any changes" does not fall into this category.
The fact that Enterprises are finally coming to the IETF table, should be
sufficient to show the willingness to be involved, flexible, compromise and
yes................. change as necessary.
From the beginning, many Enterprises have waned nothing more than to have
their use cases accepted as valid, by the IETF, and to collaborate with the
IETF SMEs, on crafting optimal solutions.
I guess I am personally still naïve enough to believe this can occur.
To keep using TLS1.2 has been proposed and discussed many times over the past
year or so and is not acceptable for many reasons outlined in Steve Fenters
draft. So I will refer to that, rather than add repetition to the list. But
suffice to say it is well beyond PCI for most Enterprises.
From: Ted Lemon [mailto:mel...@fugue.com]
Sent: Tuesday, March 13, 2018 4:28 PM
To: Ackermann, Michael <mackerm...@bcbsm.com>
Cc: nalini elkins <nalini.elk...@e-dco.com>; <email@example.com> <firstname.lastname@example.org>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
On Mar 13, 2018, at 3:20 PM, Ackermann, Michael <mackerm...@bcbsm.com> wrote:
> I think that most Enterprises are not espousing any conversations "how can we
> avoid making any changes?"
With respect, Michael, when I have conversed with you about this in the past,
that is precisely what you have asked for. You do not want to have to change
your operational methodology, and any change to TLS that forces you to change
your operational methodology is unacceptable to you. I understand why that is,
and I sympathize, but let's please be clear that this is your precise goal.
> But we would seek to avoid unnecessary, wholesale, infrastructure
> architectural changes.
There's an easy way to do this, although as a sometime bank security geek I
would strongly advise you to not do it: keep using TLS 1.2.
Of course, you've also explained why that isn't acceptable to you—you are
afraid that the payment card industry will eventually force you to use TLS 1.3,
just as they have, rather ineffectively, tried to insist that you use TLS 1.2.
Now why would they do that?
The information contained in this communication is highly confidential and is
intended solely for the use of the individual(s) to whom this communication is
directed. If you are not the intended recipient, you are hereby notified that
any viewing, copying, disclosure or distribution of this information is
prohibited. Please notify the sender, by electronic mail or telephone, of any
unintended receipt and delete the original message without making any copies.
Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
nonprofit corporations and independent licensees of the Blue Cross and Blue
TLS mailing list