Ilari - I understand yours (and others) view on this but there is no technical reason why this couldn't be part of the standard. A potential solution, like many cipher suite *choices* in past versions of TLS, would be optional and up to both clients and servers to configure what they are willing to support (or not support). You appear to be assuming everyone is running off the same set of requirements (one-size-fits-all) and we are here to tell you that isn't necessarily true.
- Andrew -----Original Message----- From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] Sent: Tuesday, September 27, 2016 2:24 PM To: BITS Security <bitssecur...@fsroundtable.org> Cc: Eric Rescorla <e...@rtfm.com>; tls@ietf.org Subject: Re: [TLS] Industry Concerns about TLS 1.3 On Tue, Sep 27, 2016 at 06:07:28PM +0000, BITS Security wrote: > Hi Eric--Thank you for the prompt. > > Our requirements are for the same capabilities we have today with TLS > 1.2, namely to be able to take a trace anywhere in our enterprise and > decrypt it out of band (assuming that we own the TLS server). This > includes traces taken from physical taps, traces from span or mirror > ports, traces from the virtual environment, and/or traces from agents > on workstations. We need to be able to apply a key to sniffer > devices, security and fraud monitoring tools, APM devices, and/or TLS > decryption appliances. No changes to standards are going to happen to make that any easier. Don't waste your time. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
