On Wed, Sep 28, 2016 at 4:27 PM, Melinda Shore <melinda.sh...@nomountain.net > wrote:
> We have poor participation and representation from > enterprise networks. So now we've got someone showing up from > the enterprise space and saying "I have this problem related to > protocol changes." And yeah, he's very, very late in this > process, although it's worth pointing out that it's in the best > tradition of the IETF to deal with technical problems that crop > up with documents at any point in their development. "BITS Security" is representing *some* companies in the payments space, namely these ones: http://fsroundtable.org/members/ Their concerns are not representative of "the enterprise", "the industry", "the payments space", etc. In fact some of the companies in the aforementioned link have personally contacted me to note they disagree with "BITS Security". Even among their cabal, their opinion is contentious. My personal opinion, as a security professional directly working on implementing TLS for a payments company, is their last-minute proposed changes would harm the security of our payments platform. I want to deploy TLS 1.3 in its current form. I also think the reasoning for their proposed changes is based on flawed premises. There are relevant industry groups BITS Security seems actually concerned with, such as the PCI Council. BITS Security should be voicing their concerns there, and the PCI Council should be working with the IETF to implement such changes if they're actually deemed necessary. I do not think this is a case of the IETF failing to understand "industry requirements". I strongly disagree the proposal represents "industry requirements" at all. I think they are trying to subvert the IETF process because they have inadequate security processes and they do not want to see their inadequate processes disturbed by security improvements to TLS. As a payments professional, my personal opinion is improving the security of TLS is *paramount*. The voiced concerns are not representative of "enterprise", "industry", or "payments" as a whole, but an last-minute opinion of companies who haven't been paying attention to the process who do not want to invest in upgrading their security practices. The IETF is doing great work. This entire thread is a distraction, and I hope it does not result in changes which weaken TLS 1.3's security. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
