My responses for today are all in this message, including a response to Ralph. I'm going to try not to engage on this again until tomorrow.
On Mar 14, 2018, at 6:52 PM, nalini elkins <nalini.elk...@e-dco.com> wrote: > 1. Multiple standards are likely to diverge. We don't need multiple standards, so this isn't an issue. What you need is to define the behavior that you need from your TLS implementation to give you the visibility that you want. > 2. The TLS WG of the IETF has many of the world's experts in defining such > protocols. The years of collective expertise is remarkable. We want to > work with the TLS group not try to recreate it. Of course, it would be ideal for you if you could get the TLS working group to do this work for you. > 3. The reason I support the enterprises and their voice in TLS is because I > am naive enough to actually believe in the IETF. I believe that technical > truth matters. That it is not actually the Vendor Engineering Task Force. > That is a group of the vendors, by the vendors and for the vendors. I could > see when this whole thing with taking away RSA was happening that correct > though it may be, it was going to cause enormous disruption for many, many > people in the commercial world. You may not believe it, but I am actually > doing this because I really believe that we need one set of standards that > everyone can use. I want it to be in the TLS WG. I want the TLS WG to be > credible and succeed and I want the IETF to succeed. I believe that the > Internet needs it. The problem isn't that we don't believe that it will involve significant work for you to secure your customer's data. > 4. Again, believe it or not, the TLS WG needs the enterprises. Of course, > this is all my opinion only. These enterprises are a huge group of users of > the IETF protocols and TLS in particular. The feedback of users is > irreplaceable. Who are we building the protocols for if not the users? > Sure, there are multiple sets, but these are a very large group. This is the crux of the question: who are the users whose needs the TLS working group is serving? Any discussion that doesn't begin by answering this question is going to be non-terminal. I believe it's your position that the "user" is the large corporation; an alternate view, which appears to be shared by quite a few participants here, is that the user is the end user: the person who, if their data security is compromised, will wind up bearing the cost of that compromise. > Enterprises value security and privacy. They have a different job to do. > What they are trying to do is to protect against leakage of data, do fraud > monitoring, protect against malware and many other things. When this gets > into the medical arena, it can even be lives. I don't even see how you can > say what you are saying. None of these applications require changes to TLS 1.3. If you think they do, you need to walk us through your reasoning. The reason we can say what we are saying is that we understand that none of what you have mentioned here requires that TLS 1.3 be weakened. > But, it is a very difficult issue. If I can use a different analogy, if the > City of Monterey built a new sewer system and told me that to connect to it, > I had to build a new house, I would scream! That's a great analogy, but we are talking about software, not houses. There is no technical reason why switching to TLS 1.3 requires you to build a new house. It does require you to update your software, and there is no doubt a real cost to that. There may even be software that you will have to stop using. But any software that you would have to stop using is software you already should not be using, because it's not supported. > I would not agree with that. People understand that sometimes they have to > pay when there are protocol and other changes. It is a question of if you > could do everything that you needed to do to protect your customers even if > you re-built your network from the ground up. I don't think there's any question that if you rebuilt your network from the ground up, you could use TLS 1.3. If you think this is not the case, it would help if you could say what precisely stands in the way. On Mar 14, 2018, at 10:32 PM, Ralph Droms <rdroms.i...@gmail.com> wrote: > And there is a name for this sort of labeling - it's called an "ad hominem > attack". I don't believe anyone is employing "consensus by exhaustion". > Please don't attach unwarranted labels to honest attempts to explain > requirements and develop solutions. Ralph, the problem is not that these attempts to explain requirements are not honest. It is that until we agree on who we are protecting, talking about requirements doesn't really help: the requirements of people who are not our priority are interesting, but not important. And because we are discussing requirements before we have agreed as to whether or not it is okay to weaken the security of the protocol, the discussion is non-terminal. I've just quoted from three of the five long messages Ms. Elkins sent to the mailing list today, for example. This is a serious problem: the working group cannot afford to debate this point indefinitely when the discussion is non-terminal. It is not "ad hominem" (an argument about a person) to say that it would be better if the working group chairs were to declare this issue closed. There is a clear benefit to doing so. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls